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Abstract 


A  Multiple  Model  Adaptive  EstimatiOD  (MMAE)  algorithm  is  applied  to  the  Variable  Stability  In-flight 
Simulator  Test  Aircraft  (VISTA)  F-16  at  a  low  dynamic  pressure  flight  condition  (0.4  Mach  at  20000  ft).  A 
complete  F-16  flight  control  system  is  modeled  containing  the  longitudinal  and  lateral-directional  axes.  Single 
and  dual  actuator  and  sensor  failures  are  simulated  including:  complete  actuator  failures,  partial  actuator  failures, 
complete  sensor  failures,  increased  sensor  noise,  sensor  biases,  dual  complete  actuator  failures,  dual  complete 
sensor  failures,  and  combinations  of  actuator  and  sensor  failures.  Failure  scenarios  are  examined  in  both 
maneuvering  and  straight  and  level  flight  conditions.  The  system  performance  is  characterized  when  excited 
by  purposeful  commands  and  dither  signals.  Single  scalar  residual  monitoring  techniques  are  evaluated  with 
suggestions  for  improved  performance.  A  Kalman  filter  is  designed  for  each  hypothesized  failure  condition. 
In  this  thesis,  thirteen  elemental  Kalman  filters  are  designed  encompassing:  a  no  failure  filter,  left  stabilator 
failure  filter,  a  right  stabilator  failure  filter,  a  left  flaperon  failure  filter,  a  right  flaperon  failure  filter,  a  mdder 
failure  filter,  a  velocity  sensor  failure  filter,  an  angle  of  attack  sensor  failure  filter,  a  pitch  rate  sensor  failure 
filter,  a  normal  acceleration  sensor  failure  filter,  a  roll  rate  sensor  failure  filter,  a  yaw  rate  sensor  failure  filter, 
and  a  lateral  acceleration  sensor  failure  filter.  The  Bayesian  Multiple  Model  Adaptive  Estimator  (MMAE) 
algorithm  blends  the  state  estimates  from  each  of  the  filters,  representing  a  hypothesized  failure,  multiplied  by 
the  filters  computed  probability.  The  blended  stale  estimates  are  sent  to  the  VISTA  F-16  flight  control  system. 
A  hierarchical  "moving  bank"  structure  is  utilized  for  multiple  failure  scenarios.  Simultaneous  dual  failures  are 
included  within  the  study.  White  Gaussian  noise  is  included  to  simulate  the  effects  of  atmospheric  disturbances, 
and  white  Gaussian  noise  is  added  to  the  measurements  to  simulate  the  effects  of  sensor  noise.  Each  elemental 
Kalman  filter  is  compared  to  the  truth  model  with  a  selected  failure.  Filters  with  residuals  that  have  mean 
square  values  most  in  consonance  with  their  internally  cwnputed  covariance  are  assigned  the  higher  probabilities. 
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MULTIPLE  MODEL  ADAPTIVE  ESTIMATION 
APPLIED  TO  THE  VISTA  F-I6  WITH 
ACTTUATOR  AND  SENSOR  FAILURES 


L  INTRODUCTION 


1.1  General 

From  the  advent  of  the  mechanical  flight  control  system  of  the  1903  Wright  Flyer  to  the  modem  F-16  digital 
fly-by-wire  flight  control  system,  engineers  have  applied  advancing  technologies  in  an  effort  to  improve 
performance,  reliability,  maintainability,  robustness,  and  survivability.  The  evolution  of  failure  and  isolation 
techniques  (7]  integrated  within  the  flight  control  system  continues  with  the  application  of  the  Multiple  Model 
Adaptive  Estimator  (MMAE)  [2,5,6,11,121  and  Multiple  Model  Adaptive  Controller  (MMAC)  [5,6,8,10]. 

While  the  MMAC  algorithm  was  developed  in  the  early  seventies  [7],  application  of  the  algorithm  wasn't 
practical  at  the  time.  The  MMAC  algorithm  uses  multiple  elemental  controllers,  each  of  which  can  represent 
a  specific  failure  condition.  Inherent  to  the  algorithm’s  performance  is  the  evaluation  of  each  controUer 
simultaneously,  yielding  faster  and  better  detection  of  failures  (or  other  hypothesized  conditions)  than  would  be 
possible  without  parallel  computations.  Application  of  the  algorithm  wasn't  feasible  until  the  development  of 
parallel  processing  digital  computers.  A  significant  characteristic  of  this  algorithm  is  the  ability  to  detect  and 
isolate  failures  and  properly  reconfigure  the  control  system  to  operate  without  failed  sensors  and/or  actuators. 

The  complexity  and  inherently  nonlinear  nature  of  the  multiple  model  adaptive  controller  prevents  complete 
theoretical  analysis  of  its  closed  loop  performance.  However,  the  algorithm  lends  itself  to  computer  modelling 
and  simulation  in  order  to  characterize  its  performance  attributes. 

1.2  Problem  Statement 

Previous  research  efforts  have  addressed  a  number  of  interesting  modifications  to  the  MMAE/MMAC 
algorithms  for  a  variety  of  different  airaalt  often  only  in  the  longitudinal  axis  with  no  cross-axis  coupling 
[8,10].  We  will  investigate  the  ability  of  the  multiple  model  adaptive  estimator-based  controller  to  monitor  the 
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current  state  of  a  VISTA  F-16  [Appendix  B]  in  both  longitudinal  and  lateral-directional  axes,  at  a  low  dynamic 
pressure  flight  condition  (0.4  Mach  at  20,000  ft).  A  low  dynamic  pressure  test  case  provides  an  environment 
in  w  hich  control  surfaces  arc  less  effective  and  dynamic  damping  is  poor,  so  this  scenario  will  demonstrate  the 
algorithm's  characteristics  under  unfavorable  circumstances.  We  will  induce  various  types  of  single  and  dual 
failures,  including  partial  and  complete  actuator  and  sensor  failures.  Of  particular  interest  will  be  the  abihty  of 
the  MMAC  to  delect  and  isolate  the  failure  in  a  timely  manner,  in  order  to  maintain  stable  control  of  the  vehicle 
throughout  the  transiticn  period  afiei  the  oaset  of  a  failure. 

1.3  Overview  of  Thesis  Objectives 

As  a  starting  point,  we  will  briefly  review  the  MMAC  and  MMAE-based  controller  methodologies,  followed 
with  an  overview  of  three  techniques  used  to  construct  the  MMAE-based  controller  algorithm,  and  conclude  wiili 
a  discussion  of  the  objectives  of  the  thesis  effort  The  reader  is  assumed  to  have  a  good  knowledge  of  basic 
Kalman  filter  design  and  analysis  iechniques  [5,6,7]. 

1.4  A  Brief  Overview  of  the  MMAC  Algorithm 

The  implementation  of  the  multiple  model  adaptive  controller  for  this  application  requires  the  design  of  a 
scries  of  individual  elemental  controllers  corresponding  to  a  set  of  failure  modes  at  a  given  flight  condition.  The 
controllers  can  be  gain -scheduled  to  form  an  integrated  flight  control  system  capable  of  functioning  anywhere 
within  the  specified  flight  envelope. 

Figure  1-1  illustrates  the  MMAC  structure  with  its  bank  of  k  elemental  controllers,  each  of  which 
corresponds  to  a  given  failure  nHxlc.  The  failure  modes  can  be  developed  by  analyzing  the  flight  control  system 
within  its  proposed  operating  environment  As  an  example,  a  fighter  is  designed  to  operate  in  a  hostile 
environment.  The  failure  modes  for  a  fighter  might  include  the  partial  or  complete  loss  of  an  actuator  or  control 
surface.  One  would  also  include  the  biasing  or  complete  loss  of  any  sensor,  etc.  In  its  simplest  implementation 
using  a  constant-gain  controller,  each  of  the  elemental  controllers  consists  of  a  Kalman  filter  based  upon  the 
aircraft  plant  corresponding  to  the  failed  condition,  cascaded  with  a  deterministic  optimal  controller  gain,  both 
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Figure  1.1  Multiple  Model  Adaptive  Controller 


based  on  an  assumed  parameter  value,  If  a  is  a  parameter  representing  a  failure  space,  then  is  one  of  the 
possible  discrete  realizations  of  a,  in  this  case  one  possible  failure  mode.  Each  of  the  elemental  Kalman  filters 
utilize  the  same  measurement  realization  vector 


zitf)  =  z, 


(1-1) 


arxl  generate  state  estimates  and  a  measurement  residual  vector  where 


Z’jf/,-)  ~  Zf  -  ^ 


(1-2) 


and  the  subscript  k  corresponds  the  parameter  value  assumed  by  that  particular  elemental  filter.  The  residual 
vector  is  the  difference  between  the  observed  measurement  vector  and  the  predicted  value  from  the  filter. 
is  the  measurement  matrix  value  from  the  kt/t  filter,  ij/if)  is  the  Kalman  filter  estimate  of  the  state  vector 
before  the  incorporation  of  the  measurement  at  time  r^. 
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If  the  kth  niter  represcats  the  current  plant  conPiguration  (i.e.  the  failure  condition),  the  magnitude  of  the 
residual  from  the  filter  will  be  small,  on  the  order  of  the  size  of  the  residual's  standard  deviation  as  computed 
within  the  kth  niter  itself.  The  magnitudes  of  the  residuals  from  the  other  "mismatched"  filters,  representing 
other  failure  scenarios,  will  be  larger  than  anticipated  by  the  filter-computed  standard  deviation. 

In  summary,  the  elemental  controller  with  the  most  accurate  representation  of  the  current  plant  connguration 
will  provide  the  smallest  residual  to  the  MMAC  algorithm.  The  algorithm  will  assign  a  probability  to  each  of 
the  niters  (i.e.,  assumed  failure  scenarios)  based  upon  the  magnitude  of  the  associated  residual. 

1.5  Assignment  of  Probabilities 

From  Figure  l.J,  after  the  construction  of  the  residuals,  a  number  of  techniques  can  be  used  to  assign 
probabilities  to  each  of  the  elemental  controllers  and  generate  an  adaptive  control  vector,  thesis 

will  examine  three  techniques.  Some  previous  research  efforts  have  addressed  the  formulation  of  the  control 
vector  WjVfM/tC  using  a  maximum  a  posteriori  (MAP)  approach,  a  Bayesian  approach,  and  a  modified 
Bayesian  approach  (10]. 

Using  a  MAP  technique,  the  single  conesponding  to  the  highest  probability  (i.e.,  with  residuals  having 
the  smallest  magnitude,  relative  to  the  filter-computed  standard  deviation)  would  be  selected  as  the  control  vector 
to  apply  to  the  plant  {Figure  1.2).  Past  research  efforts  demonstrated  the  ability  of  the  algorithm  to  select  a 
controller  in  a  timely  fashion;  however,  the  algorithm  cannot  adapt  well  to  any  failure  scenario  not  explicitly 
modelled  within  the  MMAC  hierarchy.  Specifically,  it  cannot  blend  together  the  outputs  of  two  or  more 
elemental  controllers  that  each  have  large  probabilities  such  as  controllers  based  on  no  failure  and  a  single 
bard  failure,  to  be  blended  together  to  address  a  partial  failure  of  that  same  sensor  or  actuator.  The  algorithm 
is  discussed  in  detail  in  Chapter  2. 

The  Bayesian  form  of  the  MMAC  algorithm  produces  a  probability-weighted  average  of  the  form: 

~  ]C*=l 
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Figure  1.2  Maximum  A  Posteriori  (MAP)  technique 


where  K  is  the  total  number  of  elemental  filter-controller  combinations,  *  deterministic  optimal 

full-state  feedback  control  law,  and  is  the  state  estimate  generated  by  a  Kalman  filter  for  the  kth  failure 
mode  modelled  within  the  multiple  model  adaptive  controller.  The  control  applied  to  the  plant  is  the  probability- 
weighted  average  of  all  of  the  individual  elemental  controller  outputs.  The  Bayesian  form  is  ideally  suited  to 
address  failures  that  may  not  be  explicitly  modelled  within  the  MMAC  hierarchy.  As  such,  it  is  capable  of 
blending  the  output  of  two  or  more  elemental  controllers  to  adapt  to  an  unmodelled  failure  condition.  The 
Bayesian  form  is  discussed  in  detail  in  Chapter  2. 

While  the  Bayesian  form  of  the  MMAC  algorithm  is  a  powerful  control  technique,  it  requires  some 
modification  for  practical  iiripiemeotation.  The  blending  of  the  outputs  of  each  of  the  elemental  controllers 
allows  for  the  adaptation  of  the  algorithm  for  failure  scenarios  not  explicitly  modelled  within  the  MMAC 
hierarchy;  however,  an  optimum  solution  would  suggest  that  only  the  output  of  models  with  hypotheses  that 


5 


"bound"  the  actual  failure  be  included  in  the  probability -weighted  control  vector,  For  instance,  control 

of  an  aircraft  with  a  50%  loss  of  stabilator  authority  might  be  accomplished  by  blending  the  outputs  of 
controllers  designed  for  a  fully  functional  vehicle  and  for  a  totally  failed  stabilator.  In  fact,  by  including  the 
output  of  models  unrelated  to  the  failure,  one  is  reducing  the  robusmess  of  the  algorithm,  since  these 
contributions  to  destabilizing  control  to  an  aircraft  with  a  failure  mode  other  than  that  for 

which  the  elemental  controller  was  designed.  The  modified  Bayesian  algorithm  accounts  for  this  phenomena 
by  establishing  a  lower  probability  bound,  below  which  control  vectors  are  excluded  from  the  calculation  of  the 
conbol  vector,  probabibty  weighted  sum.  An  additional,  even  lower  bound  prevents  the 

algorithm  form  ever  assigning  a  pj^  value  of  exactly  (or  essentially)  zero  to  any  elemental  controller,  since  that 
would  preclude  the  iterative  computation  of  from  ever  yielding  a  nonzero  value  for  that  probability  thereafter. 
Use  of  such  artificial  lower  bounding  on  p/^  further  motivates  the  use  of  modified  Bayesian  vs.  Bayesian 
algorithms,  to  preclude  a  nonzero  weighting  of  a  completely  erroneous  elemental  controller  in  the  formation  of 
“MMAO  explanation  of  this  effect  can  be  found  in  Chapter  2.  In  this  thesis,  the  MMAE  algorithm  is 
implemented  as  explained  in  Section  1.6. 

1.6  MMAE-Based  Control 

MMAE-bascd  control  was  selected  over  MMAC  based  control  for  many  reasons.  In  this  research  effort, 
the  control  system  was  selected  from  existing  control  systems.  Previous  efforts  designed  control  systems  with 
the  objective  of  reconfiguring  the  estimator  and  controller  portions  of  the  system  upon  the  isolation  of  a  failure. 
The  purpose  of  this  effort  is  to  demonstrate  the  algorithm's  robustness  and  emerging  maturity  by  applying  the 
algorithm  to  a  full-scale  control  system  in  use  with  the  United  States  Air  Force.  In  addition,  the  primary  focus 
of  this  effort  is  the  detection  and  isolation  of  failures,  not  the  reconfigurability  of  the  control  laws  (we  anticipate 
the  possibility  of  loss  of  control  for  some  failure  combinations).  Another  important  consideration  for  the 
selection  of  MMAE-bascd  control  is  the  demonstration  of  this  technique  on  an  Air  Force  test  vehicle.  In  the 
event  of  good  performance  from  the  research  effort,  o{^rtuoities  may  exist  to  demonstrate  the  algorithm  on 
this  or  another  test  vehicle.  A  flight  test  would  be  another  maturation  step  for  the  algorithm  and  provide 
valuable  information  to  assess  the  real  world  implications  of  applying  the  algorithm  to  a  flight  vehicle. 
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Figure  1.3  MMAE-Bascd  Control 


As  previously  stated,  the  MMAE  algorithm  is  ideally  suited  for  failure  detection  and  isolation.  Figure  1.3 
illustrates  the  MMAE  algorithm  structure.  The  residuals  from  each  of  the  Kalman  filters,  representing  a  different 
hypothesized  failure,  determine  the  appropriate  magnitude  of  the  probahility  assigned  to  each  filter.  In  this 
manner,  failures  are  detected  and  identified  according  to  the  probability  assigned  to  the  filter. 

7.7  Research  Objectives 

Previous  research  invesUgated  the  use  of  the  MMAC  algorithm  with  elemental  controUers  designed  for  a 
corresponding  set  of  failure  conditions  [8.101.  This  research  effort  wiU  follow  previous  work  and  apply  MMAE- 
bascd  control  techniques  to  the  VISTA  F-16  aircraft  using  a  MMAE  cascaded  with  a  FORTRAN  model  of  the 
F-16  flight  control  system. 
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The  primary  issue  throughout  this  effort  will  be  failure  detection  and  isolation.  If  the  current  VISTA  F-16 
flight  control  system  is  unable  to  maintain  stabiiity  for  a  given  failure,  once  the  failure  mode  is  correctly 
ideutined,  we  will  assume  that  a  controller  could  be  developed  to  fulfill  that  rerjuiiemenL  By  evaluating 
different  MMAE-based  control  algorithms  and  their  ability  to  detect  and  isolate  failures,  we  can  validate  previous 
efforts  while  simultaneously  advancing  the  state  of  the  art  by  applying  these  techniques  to  a  longitudinal-and- 
latcral-directional  flight  control  system  in  service  with  the  United  States  Air  Force. 

1.8  Research  Questions 

1.8.1  Probability  Convergence 

Some  questions  of  interest  include: 

Do  the  elemental  probabilities  converge  to  a  solution?  Is  the  solution  the  correct  one? 

For  dual  failures,  is  the  convergence  path-dependent  (i.e.,  is  the  order  of  failure  occurrence 

important  for  convergence  properties)? 

Are  the  convergence  rates  quick  enough  to  prevent  large  transients  or  loss  of  control? 

Are  the  convergence  rates  dependent  on  the  failure  type? 

When  inducing  a  failure  into  the  system,  we  would  expect  the  residuals  of  the  elemental  controller 
corresponding  to  the  true  system  failure  status  to  be  small  as  compared  to  the  residuals  of  other  "mismatched" 
filters.  For  a  failure  not  explicitly  modeled  in  the  bank  of  elemental  controllers,  we  would  anticipate  a  blending 
of  the  control  vectors  from  the  "bounding"  elemental  controllers. 

White  it  may  be  obvious  that  the  proper  detection  and  identification  of  failures  not  explicitly  modelled  in 
the  bank  of  elemental  controllers  will  characterize  the  capabilities  of  the  MMAC  algorithm,  both  cases  (explicitly 
modelled  and  not)  are  of  interest.  One  attribute  we  can  use  to  measure  performance  is  how  quickly  the 
algorithm  converges  to  a  solution.  A  comparison  of  convergence  time  between  hard  (complete)  and  soft  (partial) 
actuator  or  sensor  failures  provides  insight  into  future  enhaiKements  to  the  calculation  and  assignment  of 
probability  weightings.  Expanding  the  thought  process,  we  can  compare  convergence  properties  between  failures 
explicitly  modeled  in  the  bank  of  elemental  controllers  aixl  those  which  are  not.  For  dual  failures,  we  can 
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identify  any  ambiguities  which  may  arise  due  to  the  order  in  which  the  failures  occur. 

If  the  MMAE  or  MMAC  algorithm  only  had  to  address  failures  expUcitly  modelled  in  the  bank  of  elemental 
controllers,  the  Kalman  filters  within  each  elemental  controller  could  be  tightly  tuned  to  provide  optimum 
performance  at  design  conditions.  From  a  probabilistic  viewpoint,  an  infuiite  number  of  flight  control  system 
failure  variations  are  possible.  The  nature  of  this  problem  forces  the  consideration  of  failures  not  explicitly 
modelled  w  ithin  the  bank  of  elemental  controllers.  Tuning  a  Kalman  filter  in  any  of  the  elemental  controllers 
to  optimize  its  performance  for  a  single  failure  mode  may  improve  performance  for  that  failure  condition  but 
may  cause  significant  degradation  for  those  cases  not  explicitly  modelled.  However,  one  cannot  afford  to  add 
too  much  dynamic  pscudonoise  during  the  tuning  process,  because  it  masks  inadequacies  of  assumed  models, 
and  thus  incapacitates  adaptation.  The  best  combination  is  a  tightly  tuned  filter  combined  with  an  enhaiKed- 
robustness  full-state  feedback  controller.  One  would  obtain  good  adaptation  to  failure  status  and  a  robust 
controller  if  some  degree  of  misidentification  occurs. 

The  convergence  rate  of  the  probability  weightings  not  only  indicates  the  MMAE/MMAC  algorithm’s 
performance,  but  is  also  indicative  to  how  well  the  elemental  controllers  model  the  true  system  state  for  a  given 
failure  condition.  For  an  explicitly  modelled  failure,  a  rapid  convergence  rate  directly  corresponds  to  a  good 
match  between  the  tme  s>stem  failure  status  and  the  elemental  controller.  For  the  "matching"  filter/controller, 
the  residuals  from  that  filter  will  be  small  compared  to  the  residuals  of  other  "mismatched"  filters. 

1.8.2  Residual  Monitoring 

By  monitoring  the  residuals  generated  by  each  of  the  Kalman  filters  within  the  bank  of  elemental  controllers, 
one  can  identify  which  filter  model  represents  the  best  indication  of  the  current  system  status.  The  "best"  HKxlel 
will  have  a  residual  mean  squared  value  consistent  with  its  own  internally  computed  covariance. 

Questions  of  interest  include: 

Are  there  additional  techniques  which  may  enhance  the  algorithm's  performance? 

Can  additional  voting  {beyond  the  probability  calculations)  improve  the 

performance  of  the  algorithm?  Is  it  useful  to  monitor  the  scalar  components  of 
the  residual  vector,  rather  than  the  entire  residual  vector  as  done  by  the  MMAEIMMAC 
algorithm  itseip 
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Are  there  situations  in  which  residual  monitoring  breaks  dawn? 

In  what  situations  does  “Beta  Dominance"  become  important  (for  an  explanation  of 
this  effect,  see  Chapter  2),  and  what  are  the  viable  solutions  to  this  problem? 

1.8.3  Hierarchical  Modeling 

The  MMAE/MMAC  algorithm  provides  flexibility  in  its  application  to  single  and  multiple  failures.  Given 
a  rclativcly  small  finite  set  of  failure  conditions,  it  might  be  feasible  to  design  an  elemental  controller  for  every 
failure  condition  within  the  set.  For  a  flight  control  system  application,  this  is  not  practical.  Modeling  the  single 
and  dual  failures  of  K  sensors  and/or  actuators  would  require  l+K+Kfl((K-2)?2!)  elemental  filters,  with  one  no- 
failure  filter.  K  single-failure  filters,  and  K!l({K-2)>2!)  dual-failure  fillers  [10,11). 

An  alternative  method  used  in  previous  flight  control  research  involves  a  "moving  bank"  of  1+K  filters 
[10,1 1,12).  This  technique  significantly  reduces  the  computational  burden  by  requiring  fewer  elemental  fillers 
to  be  "on  line"  at  any  given  time. 

Figure  1.4  identifies  the  hierarchical  structure  of  the  "moving  bank"  of  filters.  At  level  0,  filters  fly  through 
correspond  to  the  single- failure  niters.  Filter  a^j  is  the  no-faiJure  filter.  The  algorithm  continuously  monitors 
the  system  with  the  (l-vK)  Level  0  filters.  At  the  isolation  of  a  single  failure,  the  algorithm  will  activate  the 
appropriate  Level  1  bank  of  ( /  +IC)  elemental  filters  designed  for  the  isolated  failure  alone  and  any  other  possible 
second  failure.  The  addition  of  a  no-failure  filter  allows  the  algorithm  to  "back  out"  of  the  decision  tree 
structure  and  return  to  Level  0  ;n  the  event  of  a  first  misidentified  failure,  intermittent  failure,  etc. 

Questions  of  interest  include: 

Will  hierarchical  modeling  provide  good  multiple  failure  performance  for  the  current 
application? 

In  the  event  of  simultaneous  dual  failures,  will  the  algorithm’s  performance  be 
path-dependent? 

1.8.4  Time  Sequencing  Between  Failures 

Preliminary  investigations  of  dual  failure  scenarios  will  coiKcntrate  on  the  ability  of  the  algorithm  to  identify 
two  failures  separated  in  time.  After  the  system  performance  has  been  characterized,  the  time  between  failures 
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will  be  reduced.  Eventually,  simultaneous  failures  will  be  investigated.  Of  particular  interest  will  be  the  ability 
of  the  algonthm  to  identify  two  simultaneous  failures  correctly. 


1.8.5  Cross-Axis  Coupling 


The  VISTA  F-16  uses  stabilators  for  both  pitch  and  roll  control.  Cross-axis  coupling  may  occur,  for 
instance,  if  a  failure  in  one  axis  is  propagated  through  the  stabilators  and  identified  by  the  MMAC  algorithm 
as  a  failure  in  another  axis. 

As  an  example,  assume  that  a  stabilator  failure  is  introduced.  The  failure  will  propagate  through  the  flight 
control  system  and  will  be  summed  with  the  pitch  axis  commands  at  the  stabilator  mixers.  The  output  of  the 
stabilator  contains  the  unfailed  pitch  axis  signal  and  a  signal  from  the  roll  axis  containing  the  subsystem  failure 
effects.  The  MMAC  algorithm  may  identify  the  roll  axis  failure  from  the  residuals  of  one  of  the  elemental 
filters  within  the  bank  or  it  may  not  The  MMAC  algorithm  may  have  a  difficult  time  resolving  whether  the 
roll  axis,  the  pitch  axis,  or  both  contain  the  failure. 

Questions  of  interest  include: 

Are  there  any  misidentification  of  failures  due  to  the  cross-axis  coupling  phenomena? 

Can  additional  voters  be  used  to  improve  the  algorithm’s  performance? 

Are  filters  specifically  designed  to  address  a  failure  that  may  affect  states  in  both 

axes  ("cross  coupling"  filters)  necessary? 

Can  the  algorithm  properly  identify  multiple  failures  in  different  axes? 

1.9  Scope 

The  research  effort  constructs  a  multiple  model  adaptive  estimator-based  controller  using  a  computer 
simulation  of  a  VISTA  F-16  flight  control  system.  The  flight  control  system  differs  from  the  full  VISTA  flight 
control  system  [Appendix  B]  by  the  following  aspects: 

1)  Dynamics  above  40  radlsec  are  ignored  (secondary  dynamic  effects) 

2)  Fourth  order  actuator  models  are  replaced  by  first  order  models  (1st  order  actuators  simplify 
the  model  and  provide  a  good  frequency  response  match  in  the  frequencies  of  interest) 
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J)  The  flight  control  system  is  modeled  as  a  continuous  system  using  Euler  integration 
techniques  instead  of  a  40  Hz  digital  controller.  Eventually,  the  sampled  data  nature 
of  the  controller  will  be  captured.  (Simulation  results  indicate  minimal  differences 
between  the  digital  coruroller  and  the  fast-sampling  Euler  technique.  The  flight  control 
system  was  coded  using  an  analog  representation  of  a  block  diagram.  The  digital  version 
became  available  after  preliminary  checkout  had  begun.  Given  the  limited  time  available 
for  testing,  a  decision  was  made  to  proceed  with  the  checkout  and  begin  data  runs.) 


The  flight  control  system  docs  include  both  the  longitudinal  and  lateral-directional  axes,  gain  scheduling,  position 
and  rate  limits  (in  the  controller  software  as  well  as  in  the  physical  hardware  implementation),  angle  of  attack 
limiting,  the  leading  edge  flap  controller,  trim  effects,  command  and  position  breakouts,  surface  biases,  and  the 
yaw  stmctural  filter,  as  in  the  current  full  VISTA  F-16  flight  control  system. 

The  aerody  namic  model  is  linearized  about  a  flight  condition  of  0.4  Mach,  20000  ft  The  model  includes 
the  pitch  attitude,  velocity,  angle  of  attack,  pitch  rate,  sideslip  angle,  roll  angle,  roll  rate,  and  yaw  rate.  The 
control  vector  includes  the  left  and  right  stabilator  positions,  the  left  and  right  flaperon  positions,  the  mdder,  and 
the  leading  edge  flap.  Since  the  model  is  linearized  about  a  selected  flight  condition,  the  thrust  is  constant  in 
this  perturbation  model. 

The  performance  analysis  of  the  MMAE-based  control  algorithm  begins  by  inducing  hard  modeled  failures, 
soft  modeled  failures,  and  finally  uomodclled  failures.  Following  the  evaluation  of  single-failure  performance, 
dual-failure  scenarios  will  be  investigated.  Initially,  the  time  between  the  first  failure  and  the  induction  of  the 
second  failure  will  be  large.  As  confidence  in  the  ability  of  the  system  to  isolate  both  failures  increases,  the 
time  between  the  failures  will  be  reduced.  Eventually,  simultaneous  dual  failures  will  be  studied. 

1. 10  Limitations 

Undoubtedly,  the  most  obvious  limitation  throughout  this  study  is  the  use  a  Unearized  VISTA  F-16 
aerodynamic  model.  However,  since  our  interest  lies  within  the  area  of  failure  detection  and  isolation,  as 
opposed  to  control,  this  is  not  considered  a  restrictive  limitation.  If  time  permits,  we  may  elect  to  test  against 
the  full  nonlinear  simulation  model.  Another  limitation  is  the  use  of  reduced  order  actuators  which  allow  a 
simpler  implementation  in  the  model.  Frequency  response  characteristics  for  first  vs.  fourth  order  actuators  are 
essentially  equivalent  for  the  frequencies  of  interest  We  simulate  the  Dryden  wind  model  {8,9,10,1 1,13]  using 
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the  appropriate  shaping  filters  driven  by  white  Gaussian  noise  of  the  appropriate  strength.  Within  the  elemental 
filters,  we  represent  sensor  dynamics  as  essentially  instantaneous,  with  the  sensed  output  being  corrupted  by 
discrete-time  white  Gaussian  noise  of  appropriate  covariances.  One  of  the  strengths  of  this  study  is  its  realistic 
nKxJels,  particularly  of  the  VISTA  F-16  flight  control  system  (as  opposed  to  a  strictly  "papCT"  study).  The 
limitations  listed  within  this  study  do  not  seriously  bound  the  validity  of  the  results. 

LI  I  Report  Format 

Chapter  2  discusses  the  MMAE/MMAC  develofxnent  in  depth,  including  a  complete  description  of  the 
modified  Bayesian  algorithm.  Chapter  3  addresses  the  models  used  within  the  study,  provides  an  overview  of 
the  VISTA  F-16  flight  control  system,  discusses  the  integration  of  the  models,  and  outlines  the  data  collection 
process.  Chapter  4  presents  the  results  in  a  "walk  through"  fashion.  The  data  is  exhibited  in  chronological  order 
with  the  appropriate  comments,  observations,  and  conclusions  included.  Chapter  5  summarizes  the  data  and 
provides  a  comprehensive  list  of  the  significant  conclusions  and  recommendations  for  future  research. 

1.12  Summary 

The  goal  of  this  chapter  has  been  to  present  the  MMAC  and  MMAE-based  control  algorithms  and  provide 
motivation  for  their  implementation.  Based  upon  die  projected  cost  of  future  military  aircraft,  sufficient 
motivation  exists  within  the  Air  Force  to  increase  the  survivability  of  our  present  and  future  aircraft  The 
MMAE/MMAC  algorithm  may  fulfill  that  need.  The  application  of  this  algorithm  to  a  sophisticated  flight 
control  system  currently  in  service  with  the  USAF  provides  a  realistic  and  valuable  test 

This  chapter  discusses  the  construction  of  the  MMAE/MMAC  algorithm  and  demonstrates  the  hierarchical 
structure  utilized  in  addressing  multiple  failures.  The  assignment  of  elemental  controller  probabilities  using  a 
modified  Bayesian  form  allows  the  algorithm  to  blend  control  outputs  in  an  eR^ort  to  address  unmodelled  failures. 
Additional  voting  techniques  may  be  necessary  to  resolve  ambiguities  in  the  detection  and  isolation  of  failures. 

A  large  number  of  questions  remain  to  be  answered  concerning  the  algorithm's  ability  to  isolate  single  and 
multiple  failures,  distinguish  between  simultaneous  failures,  and  differentiate  between  longitudinal  and  lateral 
directional  failures.  Investigating  these  questions  forms  the  basis  of  this  research. 
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n.  MULTIPLE  MODEL  ADAPTIVE  ESTIMATION 


2.1  Algorithm  Development 

Let  a  denote  a  vector  of  uncertain  parameters  in  a  given  linear  stochastic  state  model  for  a  dynamic  system. 
For  this  application  a  resides  in  the  space  of  actuator  and/or  sensor  failures  within  a  flight  control  system,  llie 
a  parameters  can  affect  the  model  structure  or  the  noises  entering  it  The  continuous  range  of  a  is  discretized 
to  provide  a  computationally  feasible  solution.  By  defining  the  hypothesis  conditional  probability  as  the 
probability  that  a  assumes  a  value  (for  k  -  1, 2, ...  K),  conditioned  on  the  observed  measurement  history  to 
time  tj. 

=  Probia  =  fl*  lZ(/j)  =  Z,)  (2-1) 

then  we  can  show  that  Pffl^)  can  be  evaluated  recursively  for  all  it  via  the  iteration: 

/:(/()  la.2(/,_,) 

— —  . 

^=1 (Z,- 1  Oj,Zi_-i)  'pfJi-\)  (2-2) 

The  measurement  history  random  vector  Z//,)  is  made  up  of  partitions  zU^)  ...  z{t^)  which  correspond  to  the 
measurement  vectors  available  at  the  samp!<'  times  tj  ...  The  realization  Z,-  of  the  measurement  history  vector 
has  partitions  Zy ...  z,.  The  Bayesian  minimum  mean  square  error  estimate  of  the  state  is  the  probabilistically 
weighted  average: 

id*)  -  Eixdi)  iZdi)  =Zj]  = 


where  is  the  state  estimate  generated  by  a  Kalman  filter  based  on  the  assumption  that  the  parameter 
vector  equals  More  explicitly,  let  the  model  corresponding  to  be  described  by  (an  "equivalent  discrete¬ 
time  model"  (5,7]  for  a  continuous-time  system  with  sampled  data  measurements): 
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Z(li)  -  W*(»/)JCi(/,)  ♦  v*(/i) 


where  X)^  is  the  state,  m  is  a  control  unit,  is  a  discrete-time  zero-mean  white  Gaussian  dynamic  noise  of 
covariance  at  each  z  is  the  measurement  vector,  and  is  discrete -time  zero-mean  white  Gaussian 
mcasurcnKnt  noise  of  covariance  at  assumed  independent  (and  thus  uncorrclated)  of  The  initial 
condition  xd^}  is  modeled  as  Gaussian,  with  mean  and  covariance  Pj^  and  is  assumed  independent  of 
and  v^.  Based  on  this  set  of  models,  the  Kalman  filler  is  speciBed  by  the  measurement  update; 


RkOi)  =  Pk(U)»Ii’i)A~t\ti) 


and  the  time  propagation  relations: 


(2-10) 


(2-11) 
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Figure  2.1  Multiple  Model  Adaptive  Estimation  Algorithm 


As  such,  the  multiple  model  adaptive  filtering  algorithm  is  composed  of  a  bank  of  K  separate  Kalman  filters, 
each  based  on  a  particular  value  O/  ...  of  the  parameter  vector  o,  as  depicted  in  Figure  2.1.  When  the 
measurement  becomes  available  at  the  residuals  r ...  r are  generated  in  the  K  filters  as  shown  by 
the  bracketed  term  in  Eq  (2-8),  and  used  to  compute  ...  via  Eq.(2-2).  Each  numerator  density 
function  in  Eq.(2-2)  is  given  by. 
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where  m  is  the  measurement  dimension  and  is  the  residual  covariance  calculated  in  the  Kalman  filter 
as  in  Eq  (2-6).  The  denominator  in  Eq  (2-2)  is  simply  the  sum  of  all  the  computed  numerator  terms  and  thus 
is  the  scale  factor  required  to  ensure  that  the  P^ft/s  sum  to  one  [5,7,11,17].  Thus  the  filter  probabilities  must 
satisfy  two  constraints: 


P*(/,)>0 


(2-14) 


Zit  Pk(U)  =  1 

(2-15) 


In  operation,  one  expects  the  residuals  of  the  Kalman  filter  with  the  hypothesis  that  best  matches  the  tme  system 
state  to  have  mean  squared  value  most  in  consonance  with  its  internally  computed  covariance,  The 

performance  of  the  algorithm  depends  on  the  existence  of  significant  differences  in  the  characteristics  of 
"correct"  vs  "mismatched"  fitters’  residuals.  Each  filter  should  be  tuned  for  best  performance  when  the  true 
values  of  the  uncertain  parameters  match  the  assumed  value  for  these  parameters.  The  addition  of  substantial 
amounts  of  dynamics  pseudonoise  to  the  dynamics  model,  often  used  to  guard  against  filter  divagence,  should 
be  avoided  as  it  tends  to  mask  the  differences  between  good  and  bad  models  [5,7]. 

Although  the  multiple  model  estimation  algorithm  appears  similar  to  the  multiple  model  adaptive  controller, 
fundamental  differences  exist  between  the  two  algorithms.  The  intent  of  the  multiple  model  estimation  algorithm 
is  to  generate  a  composite  from  each  of  the  K  elemental  filter  estimates  as  shown  in  Figure 

2.1.  In  this  thesis,  we  are  compensating  for  parameter  uncertainties  in  B  and  H  representing  actuator  and  sensor 
failures;  a  hard  actuator  failure  is  modeled  with  a  column  of  B  going  to  zero,  and  a  sensor  bard  failure  is 
represented  by  a  row  of  H  being  zeroed.  The  multiple  model  adaptive  estimation  algorithm  produces  a 
composite  state  estimate  vector  used  by  the  flight  control  system,  as  shown  in  Figure  13. 
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2.2  Modified  Bayesian  Form 


The  final  probability-weighted  average  of  the  state  estimates,  computed  as  shown  in  Figure  2.1,  is  produced 
by  a  modified  Bayesian  form  of  the  MMAE  algorithm.  A  Bayesian  form  of  the  algorithm  allows  for  a  blending 
of  filters  designed  for  hard  failures  and  those  designed  for  no  failures  to  address  partial  or  soft  failures.  Practical 
implementation  requires  a  lower  bound  when  computing  the  probabilities  according  to  Eq  (2-2).  The  addition 
of  a  lower  bound  prevents  the  algorithm  from  assigning  any  single  a  value  of  zero,  which  would  prevent 
it  from  being  considered  in  future  probability  computations.  From  the  iterative  nature  of  Eq.  (2-2),  if 
were  assigned  a  value  of  zero  for  one  of  the  filters,  subsequent  probability  calculations  for  that  filter  would  also 
assign  a  probability  of  zero  (i.e.  -  0).  The  addition  of  a  lower  bound  provides  another  favorable 

characteristic.  The  number  of  iterations  required  to  increase  a  very  small,  but  nonzero,  significantly  increases 
for  smaller  magnitudes  of  values.  By  providing  a  lower  bound  we  allow  values,  previously  not  important 
to  the  combined  state  estimate,  to  increase  in  a  timely  manner  if  the  system  state  changes  such  that  the  parameter 
value  becomes  the  best  hypothesized  value. 

A  second  lower  bound  excludes  the  contributions  of  filters  whose  hypothesis  has  nothing  to  do  with  the  true 
system  failure  status  from  being  included  in  the  formulation  of  the  control  vector  This  bound  improves 

performance  by  ignoring  unrelated  filters  whose  probabilities  are  small.  This  is  important  in  view  of  the 
artificial  lower  bounds  presented  in  the  previous  paragraph.  Such  artificial  bounds  could  cause  nonzero 
contributions  from  totally  erroneous  filters  to  be  included  in  the  weighted  sum  of  Eq  (2-3). 

The  combination  of  these  two  bounds  demonstrates  the  transition  firom  a  theoretical  Bayesian  form  to  the 
application  of  the  modified  Bayesian  form.  Figure  2.2  graphically  displays  the  bounds  developed  for  use  in  this 
research  effort  Of  particular  interest  is  the  selection  of  the  bound  magnitudes.  The  smallest  bound  should  be 
selected  to  prevent  any  value  of  from  being  assigned  an  essentially  zero  value  while  allowing  good 
dynamic  growth  of  performance  should  that  particular  parameter  value  become  the  best  new  parameter 
value  due  to  a  change  in  the  true  system  failure  conditions.  The  second  bound  prevents  filters  whose  hypotheses 
are  unrelated  to  the  true  failure  from  being  considered  in  the  formulation  of  the  control  vector.  This  bound  must 
not  be  so  large  as  to  interfere  with  the  MMAE  algorithm’s  adaptation  performance.  Too  small  a  bound  would 
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Figure  2.2  Modified  Bayesian  Fonn  -  Lower  bounds 

cause  unrelated  filters  to  contribute  to  tbe  control  vector  and  reduce  system  performance.  As  is  often  tbe  case 
in  research  efforts,  such  threshold  values  must  be  established  empirically.  Experience  shows  a  value  of  0.0001 
for  the  lower  probability  bound  and  0.003  for  the  upper  probability  bound  produces  tbe  desired  effect  [10,11]. 

2.3  "Beta  Dominance  " 

As  discussed  earlier  in  Chapter  2,  tbe  hypothesis  probabilities  are  calculated  according  to  Eq.  (2-2). 
Earlier  efforts  [2,4,6,10]  noted  that  the  leading  coefficient  preceding  the  exponential  term  in  Eq  (2-12)  does  not 
provide  any  useful  infonnation  in  the  identification  of  the  failure.  Tbe  likelihood  quotienL 

Lt  = 

(2-16) 

which  appears  within  the  exponential  of  Eq  (2-13).  compares  the  squared  residual  with  the  hypothesized  filter's 
internally  computed  residual  covariance.  Filters  with  residuals  that  have  mean  square  values  most  in  consonance 
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with  their  internally  computed  covariance  are  assigned  the  higher  probabilities  by  the  MMA£  algorithm. 
However,  if  the  likelihood  quotients  were  nearly  identical  in  magnitude  for  all  k,  the  probability  computations 
of  Eqs.  (2-2),  (2-12),  and  (2-13)  would  be  based  upon  the  magnitude  of  the  determinants  of  the  matrices, 
resulting  in  an  incorrect  assignment  of  the  proc  abilities  that  would  be  independent  of  the  real-world 
measurements.  This  effect  is  known  as  "Beta  Dominance".  Because  sensor  failures,  as  simulated  by  zeroing 
out  a  row  of  H,  yield  smaller  determinant  values  and  thus  larger  values,  "Beta  Dominance"  produces 
a  tendency  to  generate  false  alarms  about  sensor  failures. 

Previous  efforts  removed  the  tenn  preceding  the  exponential  in  Eq.  (2-12)  [10,11,12],  with  significant 
enhancements  of  performance  and  reduction  of  sensor  failure  false  alarms.  Since  the  denominator  of  Eq.  (2-2) 
contains  the  sununation  of  all  numerator  terms,  excluding  the  terms  preceding  the  exponentials  in  the  calculation 
of  the  probabilities  does  not  alter  the  fact  that  the  computed  probabilities  sum  to  one. 

2.4  Scalar  Residual  Monitoring 

Incorrect  or  ambiguous  failure  identification  may  be  resolved  through  the  use  of  scalar  residual  monitoring. 
Eqs.  (2-2),  (2-13),  and  (2-14)  demonstrate  the  relationship  of  the  probability  calculations,  the  probability  density 
function,  and  the  likelihood  quotient  These  three  equatic^os  demonstrate  the  dependency  of  the  probability 
calculations  on  the  magnitude  of  the  likelihood  quotient  Eq.  (2-14).  The  likelihood  quotient  is  merely  the  sum 
of  scalar  terms  relating  the  product  of  any  two  scalar  cotiponents  of  the  residual  vector  and  the  filter's  internally 
computed  covariance  for  those  two  components.  If  a  sensor  failure  occurs,  the  single  scalar  term  associated 
solely  with  that  sensor  should  have  a  residual  value  with  a  magnitude  that  is  mueh  larger  than  the  associated 
variance  in  all  of  the  elemental  filters  except  for  the  filter  designed  to  "look"  for  that  sensor  failure.  Scalar 
residual  monitoring  can  be  used  as  an  additional  vote  when  attempting  to  reduce  or  eliminate  failure 
identification  ambiguities.  Scalar  residual  monitoring  is  particularly  useful  when  attempting  to  identify  sensor 
failures.  There  is  a  direct  relationship  between  filters  designed  for  sensor  failures  and  the  generation  of  single 
scalar  residuals  corresponding  to  a  sensor  failure.  Failed-actuator  elemental  filters  do  not  exhibit  such  direct 
relationships  and  often  provide  a  more  challenging  test  for  the  MMAE  algorithm.  This  thesis  will  attempt  to 
demonstrate  the  effectiveness  of  previous  methods  to  identify  actuator  failures  and  provide  additional  techniques 
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and  insight  to  reduce  failure  detection  ambiguities.  In  characterizing  the  perfoimance  of  the  algorithm  and  the 
ability  of  scalar  residual  monitoring  to  improve  that  performance,  conditions  in  which  scalar  residual  monitoring 
breaks  down  will  be  documented. 

2J  Hierarchical  Modeling 

Previous  discussion  in  Chapter  2  restricted  the  ai^lication  of  the  MMAE  algorithm  to  single  failure 
scenarios.  The  research  effort  used  a  building  block  approach  to  addressing  system  failures.  Chapter  4  presents 
the  results  for  single  complete  sensor  or  actuator  (hard)  failures  arxl  then  single  partial  actuator  failures  or 
increased  sensor  noise  (soft)  failures.  The  next  logical  step  in  this  progression  is  the  inclusion  of  multiple 
failures.  Figure  2.3  depicts  the  hierarchical  model. 

For  many  practical  complex  systems,  an  infinite  number  of  failure  scenarios  can  be  hypothesized.  As  an 
example,  consider  an  aircraft.  In  this  example,  the  failure  set  would  include:  surface  or  actuator  failures,  sensor 
failures,  wiring  failures,  software  failures,  etc,  and  both  hard  and  varying  degrees  of  soft  failures.  In  more 
precise  terms,  the  failure  space  would  include  an  rnfadte  aumber  of  possible  failure  scenarios.  Designing  filters 
for  each  of  these  scenarios  is  impractical  and  could  not  physically  be  implemented.  Additionally,  performance 
from  such  a  system  would  be  unacceptable  since  many  filters  would  be  virtually  indistinguishable  from  each 
other  in  residual  characteristics.  By  discretizing  the  failure  space,  an  acceptable  set  of  failure  scenarios  from 
which  to  build  filters  can  be  selected.  This  set  spans  the  failure  space  since  all  failures  under  consideration  are 
bounded  by  these  filters  (e.g.,  a  50%  failure  in  actuator  authority  is  bounded  by  a  fully  functional  filter 
hypothesized  with  no  failures  and  a  complete  actuator  failure).  The  blended  output  of  these  bounding  filters  can 
be  used  to  approximate  the  output  of  a  hypothesized  30%  actuator  failure  not  included  in  the  filter  "bank"  to 
generate  a  control  vector  "blending"  approach  allows  for  a  finite  number  of  filters  to  be  used  in 

the  design  of  the  MMAE  algorithm.  Given  the  assumption  of  a  specific  failure  having  occurred,  a  new  bank 
of  filters  is  created  based  upon  the  ftrst  failure  and  including  any  other  possible  second  failure  within  the  failure 
space.  The  hypothesis  of  no  failure  is  also  included,  to  allow  subsequent  measurements  to  reverse  the  decision 
that  the  first  failure  had,  in  fact,  occurred.  The  banks  of  filters  are  completely  precomputable.  This  allows  for 
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reduced  computational  loading  since  at  any  given  time  only  l-^-K  filters  are  on  line  (where  K  represents  the  total 
number  of  hypothesized  failures  and  the  additional  filter  assumes  no  failure).  This  technique  is  known  as  a 
"moving  bank"  of  filters.  Figure  2J  demonstrates  the  hierarchical  structure  of  the  "moving  bank"  of  filters. 
The  algorithm  continuously  computes  the  residuals  for  each  of  the  J+K  filters  and  assigns  probabilities  based 
upon  those  residuals.  Level  0  represents  the  no  failure  "bank"  of  elemental  filters.  Fi'ter  ag  is  the  no-failure 
filter.  Filters  based  on  hypothesized  values  represent  each  of  the  single  hard  failures.  When  a  single 


Level  0  LfiVfiLl 


Figure  2.3  Hierarchical  "Moving  Bank"  Model 
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failure  is  isolated  by  the  algorithm,  the  algorithm  will  activate  the  appropriate  Level  1  bank  of  {1+K)  filters 
designed  for  the  isolated  failure  alone  and  any  other  possible  second  fa’<ure.  The  addition  of  a  no-failure  filter 
allows  the  algorithm  to  "back  out"  of  the  structure  and  return  to  Level  0  in  the  event  of  a  first  misidentified 
filter,  intemuttent  failure,  etc. 

Dual  failures  will  concentrate  not  only  on  convergence  criteria  but  also  on  the  ability  of  the  algorithm  to 
address  simultaneous  failures.  Initially,  failures  will  be  separated  in  time  to  allow  transients  to  settle  to  steady 
state  and  the  algorithm  to  identify  the  first  failure.  After  the  system  performance  has  been  characterized  under 
these  conditions,  simultaneous  failures  will  be  addressed.  The  ability  of  the  algorithm  to  address  multiple  axes 
failures,  simultaneous  failures,  and  combination  hard  and  soft  failures  will  be  investigated. 

2.6  Summary 

This  chapter  presented  the  development  of  the  MMAE  algorithm.  The  Modified  Bayesian  form  of  the 
MMAE  algorithm  is  introduced  aixl  a  detailed  description  is  provided.  Two  probability  lower  bounds  necessary 
for  practical  implcrtKntation  are  described.  The  "Beta  Dominance"  effect  is  associated  with  the  fact  that  the 
likelihood  quotient  contains  the  useful  information  when  calculating  the  probabilities;  the  appropriate  tendency 
to  signal  sensor  failure  false  alarms  due  to  such  "Beta  Dominance"  is  readily  compensated  by  removing  the 
leading  coefficient  from  Eq.  (2-12).  Scalar  residual  monitoring  provides  an  additional  voting  algorithm  to 
resolve  failure  ambiguities.  Section  2.5  introduces  the  hierarchical  modeling  structure  used  for  multiple  failure 
identification. 
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III.  MODEL  METHODOLOGY  AND  DEVELOPMENT 


3.1  Aircrqft  Model 


The  aircraft  model  is  represented  as  a  linear  continuous-time  dynamics  equation  given  by 


^  ^AC  ^ACi'^  *  ^AC 

(3-1) 

with  an  output  equation 

X')  ■  ^AC  ^AC^‘^  *  ^AC  “aC^^) 

(3-2) 

aixl  a  discrcte-tiUK  measurement  equation  given  by 

z(/,)  = 

(3-3) 

w  here  y{t),  v(t-)  are  identical  in  dimension  and  physical  interpretation  of  components  for  the  truth  and  filter 

models.  Generally  the  truth  models  are  of  higher  state  dimensionality  than  the  filter  models  due  to  higher  order 
actuator  models,  discrete  gust  models,  wind  models,  etc.  Additionally,  the  truth  mode’  contains  actuator  rate 
and  position  limiting  functions.  The  noise  vector  v(i-)  is  a  zero-mean  white  Gaussian  noise  of  covariance  R. 
The  covariarKC  matrix  represents  measurement  inaccuracies  caused  by  sensor  noise.  The  high  frequency  "ensor 
dynamics  are  omitted  from  the  aircraft  dynamics  model  since  these  are  secondary  effects. 

Table  3.1  Aircraft  State  and  Control  Variables 


Table  3.  /  lists  the  eight  state  and  six  control  variables  used  in  the  study.  Each  of  the  state  variables  can 
be  expressed  in  terms  of  dimensional  derivatives  (8.9.10,11].  The  aircraft  velocity  can  be  expressed  as 


State  Variables 


0 

pitch  angle 

u 

forward  velocity 

a 

angle  of  attack 

q 

pitch  rate 

bank  angle 

B 

sideslip  angle 

P 

roll  rate 

yaw  rate 


Control  Variables 


8S|{  Right  Stabilator 


Left  Flaperon 


8F]^  Right  Baperon 


§R  Rudder 


SLEF  Leading  Edge  Bap 


rad/sec 
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(3-4) 


UUi)  =  A’qB  +  Xy  +  at' a  +  x'^q  *  xl^SS  *  X^p&F  +  x[^f8LEF 
with  Xj  -  X,  /  where  m  is  the  aircraft  mass  in  slugslft^  and  is  the  moment  of  inertia  about  the  aircraft 
x-axis  expressed  in  units  of  slug  fi^.  The  stabilator  and  flaperon  inputs  are  expressed  as  0.5X^  (8Si^  +  SSg) 
and  O.SX'^f.-  +  SF/f)  respectively.  Eq.(3-5)  represents  the  aircraft  equations  of  motion  in  a  state  space 

format; 
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0 

0 

0 

0 

0 

-ojy^ 

o.5y^ 

-0-5Z8F 

0 

0.5Lgj 

-0.5L^ 

-0-5^8f 

Hr 

0 

0-5A^8S 

-0.5iV^ 

0.5Af^ 

-0.5Av'p 

0 

5S, 

85^ 

Sf/f 

5R 

5LEF 


(3-5) 


Positive  deflections  are  defined  as  stabilator  trailing  edge  down,  left  flaperon  trailing  edge  down,  and  rudder 
trailing  edge  right  (deflections  which  produce  positive  moments).  The  dimensional  derivatives  are  expressed 
in  the  body  axes. 

The  dimensional  derivatives  of  Equation  (3-5)  were  developed  using  the  GENESIS  simulation  [13,  Appendix 
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BJ  residing  at  the  Flight  Dynamics  Laboratory  at  Wrighl-Patterson  APB.  GENESIS  contains  the  VISTA  F-16 
flight  control  system  as  well  as  a  con^lete  nonlinear  aerodynamic  data  base.  The  code  allows  the  user  the 
ability  to  linearize  the  model  about  a  trim  condition.  In  this  thesis,  the  trim  condition  is  0.4  Mach  at  20000  ft. 
As  mentioned  earlier,  the  thrust  remains  constant  for  this  application.  Another  useful  option  within  GENESIS 
is  the  ability  to  mn  simulations  and  produce  hard  output  for  a  given  user  command  sequence.  This  option  was 
used  to  check  out  the  FORTRAN  flight  control  system  coded  for  the  MMAE  simulation  with  the  linearized 
model  against  the  full  VISTA  F-16  flight  control  system  with  the  nonlinear  aerodynamic  data  base. 

The  normal  and  lateral  accelerations  at  the  center  of  gravity  are  computed  by 

+  Z^f,^8LEF )  (fllsec^)  (3-6) 
%  =  ^  ^pP  *  ^  *  J'WfSR) 

where  and  are  the  longitudinal  and  lateral  accelerations  at  the  center  of  gravity  and  the  dimensional 
derivatives  are  shown  in  the  unprimed  body  axes  for  convenience.  The  measurement  equation  is  given  as 
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(3-8) 
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\^nl  ^n2  ^iii]  *  [  ~^a  ~^q  ] 

V  ^ys]  -  [  -y?  ~yp  -yr  ] 

[^n4  ^n5  ^n6  ^n7  ^/i«]  “  [  -O.SZgf  -0.5Zgf  ] 

[zy4  ZyS  Zy6  ZyJ  Zyg  ]  =  [  OJKg^  -0.5^5^  OJKgf  -Kg^  ] 


where  the  subscripts  n  and  y  represent  nomial  and  latent]  axes,  respectively. 


i.l.l  Evaluation  of  Measurement  Noise  Covariance  R 

The  sensor  noise  variances  were  determined  by  using  flight  test  data  for  NASA's  F-8.  This  approach  was 
utilized  in  previous  efforts  [10,11,18].  Based  upon  the  noise  conelation  time  constants  ("0.02  sec  for  angular 
rates,  0.01  sec  for  accelerations,  and  0.005  sec  for  the  angle  of  attack"  [18]),  the  bandwidth  of  the  sensor  noise 
is  very  large  as  compared  to  the  frequency  response  of  an  aircraft  We  conclude  the  sensor  noise  is  essentially 
white  over  the  bandwidth  of  the  aircraft  The  root  mean  square  (RMS)  noise  values  are  listed  in  Table  3.2, 
foUowcd  by  the  values  (in  appropriate  units)  used  within  this  thesis.  While  one  might  expect  the  VISTA  F-16 
sensors  to  be  significantly  better  than  those  used  in  the  NASA  F-8  experiments,  the  lack  of  data  to  substantiate 
those  claims  forced  the  use  of  the  conservative  values  listed  in  Table  3.2  [12,13,18], 


Table  3  J  Sensor  Noise  RMS  values 


Variable 

RMS  Noise 

Units 

RMS  Noise 

Units 

u 

0.1 

fVsec 

0.1 

fl/sec 

a 

0.10  to  0.30 

deg 

0.0017  to  0.0052 

rad 

q 

0.15  to  0.50 

deg/sec 

0.0026  to  0.0087 

rad/sec 

^ncR 

0.02  to  0.06 

g’s 

0.6400  to  1.9000 

ft/sec^ 

P 

0.75  to  2.00 

deg/sec 

0.0130  to  0.0350 

rad/sec 

r 

0.15  to  0.50 

deg/sec 

0.0026  to  0.0087 

rad/sec 

^yeg 

0.003  to  0.04 

g*s 

0.0966  to  1.3000 

ft/scc^ 
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Conservative  estimates,  relative  to  anticipated  VISTA  F-16  sensor  perfoimance,  for  a  values  ate  established  as 
0.1  ftlsec,  0.004  rad,  0.006  rad,  1  filse<^,  0.02  rad! sec,  0.006  rad/sec,  and  0.6  ftlsec^,  respectively.  The 
covariance  matrix  R  is  given  by  Eq.  (3-13);  note  that  a  listing  such  as  1.0'^  in  the  table  is  a  shorthand 
representation  for  1.0  x  10  .  etc. 


R  = 


1.0 

0 

0 

0 

0 

0 

0 


0 

1.6-5 

0 

0 

0 

0 

0 


0  0  0  0  0 

0  0  0  0  0 

3.6"5  0  0  0  0 

0  1.0  0  0  0 

0  0  4.0'^  0  0 

0  0  0  3.6"5  0 

0  0  0  0  3.6"’ 


ftlsec 

rad 

radlsec 

ftlsec^ 

radlsec 

radlsec 

ftlsec^ 


(3-13) 


3.1.2  Actuator  Dynamics  Model 

The  VISTA  F-16  control  surface  actuators  are  modelled  as  fourth  order  actuators.  The  transfer  function  used 

to  describe  each  of  the  actuators  is  given  by  [Appendix  B] 

^  SC  ^  _ (20.2)  (141.4)  (5214.5) _  ^3 

^CMD  (S  +  20.2)  (j  +  141.4)  (J^  ♦  107.0J  +  5214.5) 

where  SC  is  the  actuator  (control  surface)  position  and  is  the  command  surface  position.  The  left  and 

right  stabilators,  flapcrons,  and  the  rudder  use  this  fourth  order  model  to  represent  the  surface  dynamics.  The 
leading  edge  flap  is  represented  as  a  ftrst  order  lag  given  by  Eq.  (3-15): 


16.0 

s  +  16.0 


(3-15) 


The  actuator/control  surface  transfer  functions  can  be  written  is  state-space  phase  variable  form  as 
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SC 

0 
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0 

SC 

0 
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0 

SC 

0 

sc 
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0 

0 

1 

SC 

♦ 

0 

-ai 

-d2 

-J3 

-d4 

SC 

1 

^CMD 


(3-16) 


with  the  output  equation  expressed  by 

Yc{t)  »  [  d5  0  0  0  ]  (3-17) 

where  SC  represents  the  different  control  surfaces  (8S,  5F,  and  8R).  The  MMAE  software  allows  these  control 
surfaces  to  be  modelled  as  either  a  first  order,  second  order,  or  fourth  order  representation.  The  first  order 
approximation,  implemented  in  the  filters,  allows  for  a  realistic  simulation  without  the  complexity  of  a  higher 
order  state- space  model: 

Tc(s)  -  (3-18) 

^  j  +  20.2 


Previous  efforts  encountered  robustness  difficulties  associated  with  reduced-order  actuator  models  [16].  The 
results  from  that  effort  provided  additional  nnotivatioo  for  not  using  a  zero-order  actuator  model  in  the  elemental 
filters  models.  As  mentioned  earlier,  the  leading  edge  flap  is  always  modelled  as  a  first  order  lag.  For  most 
implementation  purposes,  the  first  order  model  approximation  of  Eq.  (3-18)  is  used  in  both  the  truth  model  and 
the  filters.  Some  cases  were  run  with  the  fourth  order  representation  in  the  tmth  model  and  the  first  order 
representation  in  the  filters.  Results  indicated  some  minor  performance  degradation.  Since  the  actual  model 
in  the  aircraft  is  effectively  fourth  order,  actual  implementation  would  require  the  filters  to  contain  the  fourth 
order  actuator  model  to  maximize  the  algorithm’s  performance  capabilities;  final  implementable  controllers 
would  most  likely  incorporate  first  order  filter  design  models,  and  the  truth  model  repeats  this  first  order  model 
in  order  to  keep  computational  loading  down  without  any  severe  misrepresentations  of  performance  attributes. 

Actuator  position  and  rate  limiting  are  included  in  the  truth  model.  Position  and  rate  limits  for  the  VISTA 
F- 16  are  included  in  Table  3.3.  Recall  that  the  flight  control  system  contains  other  limiting  functions,  including 
internal  signal  and  rate  limiting  and  pilot  command  limiting. 
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Table  3  J  Actuator  Position  and  Rate  Limits 


Control  Surface 

Limits 

Units 

SS  -  Stabilator 

+/-  21.0 
+/-  60.0 

deg 

deg/sec 

8F  -  Flaperons 

+  20.0  /  -  23.0 
+/-  61.0 

deg 

deg/sec 

SR  -  Rudder 

+/-  30.0 
+/-  120.0 

deg 

deg/sec 

3.IJ  Dryden  Wind  Model 

This  section  is  based  in  part  on  the  development  presented  by  Pogoda  [8,9].  The  development  of  the  Dryden 
wind  model  is  taken  from  MIL-STD-1797A  [141  and  is  presented  in  sute  space  representation  by  Eq.  (3-19). 
The  gust  states  are  represented  using  the  subscript  g.  The  gust  states  are  given  as:  Ug,  a'g,  a^,  qg, 

Kg.  The  gust  variable  Ug  is  the  gust  or  air  mass  velocity  effect  on  the  aircraft  forward  velocity;  a’^  is  the  air 
mass  velocity  effect  on  the  aircraft  angle  of  attack;  is  the  air  mass  velocity  effect  on  the  angle  of  attack;  qg 
is  the  air  mass  velocity  effect  on  the  aircraft  pitch  rate;  is  the  air  mass  velocity  effect  on  the  aircraft  roll  rate; 
fi’g  is  the  air  mass  velocity  effect  on  the  aircraft  sideslip  angle;  is  the  air  mass  velocity  effect  on  the  aircraft 
sideslip  angle;  and  is  the  air  mass  velocity  effect  on  the  aircraft  yaw  rate. 
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with  dl,  d2,  d3,  and  d4  given  by: 


> 

'’t 

d3 

Ovd-^) 

> 

Vr 

d4 

b 

> 

128Z.i 

b 

\ 

where  w-  are  independent  white  noise  sources  of  unit  strength,  Vj  is  the  aircraft  velocity,  b  is  the  wing  span, 
are  the  appropriate  scale  lengths,  and  are  the  turbulence  RMS  values.  An  altitude  of  20000  ft  is  selected 
for  this  thesis.  Scale  lengths  are  chosen  for  the  medium/high  altitude  values,  specifically  =  2L^  =  = 

1750  ft  and  =  a  [14],  where  a  is  based  on  light,  moderate,  ot  severe  turbulence  categories  from 

Figure  262,  page  652  of  MIL-STD-1797A  [14].  The  design  models  confuted  in  this  thesis  assume  the  value 
of  o  =  1  (light  turbulence).  Pilot  perception  of  turbulence  is  often  significantly  different  from  the  categories 
listed  in  M1L-STD-1797A.  Sufficient  evidence  exists  to  suggest  a  value  of  o  -  1  may  more  accurately  describe 
light  to  moderate  turbulence  [14].  By  basing  the  wind  disturbance  calculations  on  o  1,  evaluations  can  be 
made  of  higher  turbulence  levels  by  multiplying  the  design  model  equivalent  discrete  time  dynamics  noise 
covariance  matrix  by  (o’)^. 

The  addition  of  the  Dryden  wind  model  modifies  the  aircraft  dynamics  model  of  Eq.  (3-5).  Relating  aircraft 
motion  to  air  mass  motion  (wind)  in  an  inertial  reference  frame  yields 

Vi-“V|  +v  /•  (3-20) 

'^al t  ''ol m  *ml  I  ' 

where  the  subscripts  a,  i,  m  are  aircraft,  inertial,  and  air  mass  respectively.  Then  the  u  from  Equation  (3-5)  may 

be  expressed  as 


U  =  XQ(e-eg)  +  X^(u-Ug)  *  X^(a-ag)  ♦  x'^(q-qg)  +  x'^iS  +  x'^hF  +  (3-21) 

where  Sg,  Ug,  represents  the  gust  or  air  mass  velocity  effect  on  the  state  variable.  Augmenting  the  air  mass 
velocities  from  the  wind  model  with  the  truth  model  states  yields  terms  to  be  added  to  Eq.(3-5)  as  shown  in 
Eq.  (3-22). 
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3.1.4  Discrete  Gust  Model 

This  section  is  based  in  part  from  the  development  presented  by  Pogoda  [9].  From  M1L-STD-1797A  [14], 
the  magnitude  of  wind  shear  is  computed  using  Figure  265.  In  equation  form, 

^  Vy  kOy,  ^  ka^  (3-23) 

where  k  varies  from  0.4  to  2.6  and  is  tuned  for  each  gust  to  excite  the  naturaJ  frequencies  of  the  aircraft  The 
rms  intensities  of  forward,  lateral,  and  vertical  turbulence  are  described  by  o^,  o^,  and  respectively.  The 
magnitude  of  the  wind  sheer  in  each  component  direction  are  described  by  Vy,  and  v^.  After  calculating  the 
velocities  for  a  given  disturbance  level,  the  gust  variables  are  converted  into  the  state  variables  of  the  Dryden 
wind  model.  The  discrete  gust  velocities  are  defined  as 

Vjj  =  \Hg ,  Vy  =  Av^ ,  =  AWg  (3-24) 

and  using  the  equalities 


13-25) 


provides  the  following  relationships; 

AUg  =  Vjf  (3-26) 

Substitution  of  the  values  A«^,  Aa^,  ^g  into  the  Dryden  wind  model  equations  provides  additional  terms  with 


34 


(3-27) 


Aa. 


(3-38) 


which  to  augment  the  wind  distuitance  model,  modifying  Eqs.  (3-19)  and  (3-22)  with  an  additional  teim  dp. 


as: 


=  AgXgU)  +  GgWg(i)  dg(l) 


(3-29) 


where  dg(i)  is  given  by  Equation  (3-30): 


dg(n  = 


-V, 


-1 

2LZ 


-nV-j 

'WZ 


0  0 


-1  V 


kVt  7 

_ iv„  o’ 

6bL„  y  - 


(3-30) 


3.2  Truth  Model 

This  section  is  based  in  part  by  the  development  presented  in  Martin  [18].  The  aircraft  truth  model  is 
represented  as  a  continuous-time  dynamic  system 

^7^/(0  *  AtmXtmU)  *  +  djT^U)  (3-31) 

with  an  output  equation  given  by 

y(t)  *  (3-31) 

and  the  discrete-time  measurement  equation 

z(tf)  -  +  v(r,)  (3-32) 

where  vvj-j^r)  is  a  zero-mean  white  Gaussian  noise  of  strength  Qjf^,  statistically  representing  aircraft 
disturbances  generated  by  random  wind  buffet  For  the  4th-order  actuator  representations  with  state  elements 
8S^.  hSg,  etc,  becomes  85^^,  ^Rcmd’  ^ ^emd  represents  the  input  command  to  the  actuator 

model,  and  8/*^  is  the  output  of  the  actuator  which  is  i^vided  as  input  to  the  aircraft  model.  The  aircraft  state 
model,  Eq.  (3-S),  is  augmented  to  incorporate  the  actuator  and  wind  disturbance  models.  In  this  thesis,  the  wind 
models  are  the  only  source  of  disturbances  to  the  aircraft  model.  Explicitly,  the  nonzero  components  in  the 
augiiKntcd  truth  model  matrices  Gjj^  and  djj^  come  from  the  wind  model  matrices  Gg  and  dg. 

The  remainder  of  this  section  presents  the  aircraft  truth  model  with  fourth-order  actuators  and  the  complete 
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Drydcn  wind  model.  Results  presented  in  Chapter  4  include  cases  for  both  fourth-order  actuators  and  first-order 
actuators  in  the  truth  model.  The  design  models  were  created  with  first-order  actuator  representations.  The  truth 
model  didn't  incorporate  either  the  Eiryden  or  the  discrete  gust  models,  and  it  was  divided  into  longitudinal  and 
lateral  directional  components.  The  full-scale  wind  model  is  replaced  with  the  "appropriately  scaled"  white 
noise.  The  white  noise  used  in  the  truth  model  is  scaled  relative  to  the  strength  levels  used  in  the  design  models. 
An  empirical  approach  is  taken  to  provide  white  noise  that  is  noticeable  but  not  offensive  fiom  a  pilot's 
perspective.  The  noise  strength  levels  were  chosen  to  resemble  light  turbulence.  Also,  the  flight  control  system 
incorporates  cross-channel  effects.  Limitations  in  toe  size  and  scope  of  the  thesis  effort  and  the  unnecessary 
computational  loading  precluded  the  addition  of  these  models.  The  full  representation  of  the  truth  model  is 
included  in  the  next  four  pages: 
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where  and  are  elements  from  the  aircraft  dynamics  model,  and  ft,,-  are  elements  from  the  actuator 
dynamics  model,  and  are  elements  from  the  Dryden  wind  model,  and  is  the  wind  shear  distuitaoce 
input  (18].  The  w-  disturbance  inputs  are  independent  white  Gaussian  noises  of  strength 


10  0  0 

fl^/(rad-sec) 

0  10  0 

fi^l(rad-sec) 

0  0  10 

radJsec 

0  0  0  1 

Jpl{rad-sec) 

where  w^,,  and  Wp  are  given  in  the  units  [ftlsecJ^llradJsecJ,  [ft!  seep  I  {rad!  sec],  [filsecpHrad/sec],  and 
[radlsecpl[rad/sec],  respectively  [9,10,18]. 

Recall  this  model  is  implemented  as  a  perturbation  model  so  that  the  initial  conditions  on  the  aircraft  states 
are  zero  =  0).  The  covariance  model  at  the  initial  conditions,  is  set  to  the  steady  state 

covariance  value,  since  the  simulation  begins  with  the  aircraft  in  steady  state  trim  flight 


3.3  The  Design  Model 

This  section  is  based  in  part  on  work  presented  by  Martin  [18].  The  design  model  is  similar  to  the  truth 
model  in  form.  However,  the  design  model  is  generally  of  lower  order  to  facilitate  faster  on-line  compulations 
necessary  in  flight  control  applications.  In  this  thesis,  the  design  model  incorporates  a  0-order  disturbance  model 
and  a  1  st-ordcr  actuator  model. 

The  design  model  is  given  by  the  form 

y(l)  -  +  Dpi^UQ^(l)  (3-36) 

Zitj)  -  *  ''('i)  (3-38) 

with  yit),  z(i-),  vf/,)  being  equivalent  in  both  the  aircraft  and  truth  models. 

The  augmentation  of  the  aircraft  model  found  in  Section  3.1  with  rirst-order  actuators  yields  a  14th-order 
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design  model.  The  augmentation  of  the  aircraft  model  with  the  Ist-order  actuator  representation  for  55,  SF,  and 
&R 


and  for  the  leading  edge  flap 


Si(s) 


20.2 

s  *  20.2 


S2(s)  * 


16.0 

s  +  16.0 


(3-39) 


(3-39) 


is  as  done  with  the  incorporation  of  4th-order  actuators  in  the  truth  mode).  In  this  thesis,  Ist-order  actuators 
were  chosen  over  0-ordcr  to  improve  control  response  [16].  Nesline  and  Zarchan  [16]  highlighted  robustness 
issues  associated  with  the  use  of  reduced  order  actuator  models  in  the  design  models.  This  finding  provided 
motivation  for  not  using  zero-order  actuators  in  the  design  models.  Initial  results  using  zero-order  actuators  in 
the  design  model  demonstrated  poor  algorithm  failure  detection  and  identification  performance. 

The  O-ordcr  wind  model  is  generated  by  approximating  the  6  time-correlated  wind  disturbances  u^ft),  cig(t), 
etc.  from  the  Drydcn  wind  model  with  the  6  white  noises 


(3-40) 


where  the  white  noise  strengths  are  calculated  by  averaging  the  wind  model  power  spectral  density  over  the 
appropriate  frequency  range  [18].  The  strengths  of  the  white  noise  approximations  are  generated  by  using  the 
appropriate  relationships  from  MIL-STD-1797A  and  generating  the  power  spectral  densities.  The  strength  is 
calculated  as  the  average  magnitude  of  the  power  spectral  density  ft’om  0  rad/sec  to  the  aircraft  bandwidth  for 
the  variable  of  interest.  The  matrix  given  by 

Q„  0  0  0  0  0 

g 

0  0„,  0  0  0 

0  Q,,  0  0  0 

0  0  0  e.  0  0 

0  0  0  0  COj 

0  0  0  0  0,, 
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Table  3^  Zero  Order  White  Noise  Strength 


Variable 

Aircraft  Bandwidth 

Units 

Average  Noise  Strength 

Units 

u 

0.25 

rad/sec 

4.5* 

ft^/rad-sec 

a 

4 

rad/sec 

3.0-® 

rad-sec 

9 

20 

rad/sec 

1.5*^ 

rad/sec 

a  vs  q 

4 

rad/sec 

i.r* 

rad^ 

P 

15 

rad/sec 

6.0*^ 

rad/sec 

P 

3.5 

rad/sec 

3.0-^ 

rad-sec 

r 

7 

rad/sec 

2.4-^ 

rad/sec 

fi  vs  r 

3.5 

rad/sec 

6.3-’ 

rad^ 

Since  a^(i)  and  q^(i)  are  both  functions  of  and  fig(i)  and  rg(i)  are  functions  of  the  cross  spectral 
densities  '^agqg^^^  **  calculated  to  fwm  the  off-diagonal  elements  of  Eq.(3-4I).  A 

description  of  these  calculations  is  given  by  Martin  [18]. 

The  bandwidtbs  for  the  aircraft  states  and  their  associated  average  noise  strengths  based  on  a  wind 
turbulence  RMS  value  of  a=l  ft! sec  are  given  in  Tc^le  3.4.  Since  each  power  spectral  density  equation  contains 
a  term,  these  average  noise  values  can  simply  be  multiplied  by  (o’)^  (•«  ka^  where  ik  is  a  multiple)  for 
increased  RMS  wind  turbulence  values.  The  white  noise  strengths  approximations  are  combined  to  form  the 
Q  matrix; 
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Qdm 


.5-2 

0 

0 

0 

0  0 

0 

3.0"^ 

1.1-* 

0 

0  0 

0 

l.l-« 

lJ-<* 

0 

0  0 

0 

0 

0 

6.0"^ 

0  0 

0 

0 

0 

0 

3.0"^  6.3  ■ 

0 

0 

0 

0 

6.3 2.4‘ 

(3-42) 


where  the  cross  spectral  densities  yield  the  nonzero  ofT-diagonal  terms  of  "rhe  off-diagonal  terms  indicate 
that  these  white  noise  terms  are  not  independent  of  each  other.  Note  the  reversal  of  two  rows  in  the  G  matrix. 
The  order  of  the  rows  within  the  state  matrix  differs  from  the  order  of  columns  within  the  wind  disturbance 
riKxlel.  necessitating  the  switching  of  two  rows  in  the  G  matrix. 


0  0  0  0  0  0 
1  0  0  0  0  0 
0  1  0  0  0  0 
0  0  1  0  0  0 
0  0  0  0  0  0 
0  0  0  0  1  0 
0  0  0  1  0  0 
.0  0  0  0  0  1 


(3-43) 


These  white  noises  are  incorporated  into  the  aircraft  equations  by  multiplying  the  G  matrix  by  the  primed 
aircraft  dimensional  derivatives,  as  shown  in  Equation  (3-22),  to  convert  the  t)  random  disturbances  into  the 
aircraft  derivative  states  u(i),  of/),  etc.  This  yields  the  design  model  matrix 
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0  0  0  0  0  0 

x'  x'  Jf'  0  0  0 

z'  z'  z'  0  0  0 

A/'  w'  w'  0  0  0 

0  0  0  0  0  0 

0  0  Q  y'  yL  y' 

p  ^  T 

0  0  0  l'  d  l' 

p  p  r 

0  0  0  n'  nL  n' 

p  p 


(3-44) 


where  X' ,  Z',M',Y',  L' ,  and  AT  are  the  dimensional  derivatives  as  defined  in  Section  3.1.  Higher  order  design 
models  are  created  by  augmenting  Eq.  (3-44)  with  additional  rows  of  zeros. 
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Figure  3.1  VISTA  F-16  Functional  Block  Diagram 
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3.4  Flight  Control  System 

The  MMAE  algorithm  is  applied  to  the  VISTA  F-16  flight  control  system  in  this  research  application.  The 
VISTA  F-16  flight  control  system  is  the  Block  40  digital  fly-by-wire  F-16  system  [not  included].  This  flight 
control  system  incorporates  seven  input  sensors,  namely,  angle  of  attack,  velocity,  pitch  rate,  normal  acceleration, 
roll  rate,  yaw  rate,  and  lateral  acceleration.  These  sensor  inputs  are  processed  as  shown  in  Figure  3.1.  In  this 
effort  six  actuators  are  modeled,  including:  the  left  wd  right  stabilator,  the  left  and  right  flaperon,  the  rudder, 
and  the  leading  edge  flap.  General  features  of  the  system  include:  pilot  command  limiting,  angle  of  attack 
limiting,  and  normal  acceleration  limiting,  anti-windup  compensation,  pitch  and  roll  command  mixers,  gain 
scheduUng,  autonomous  leading  edge  flap  actuation,  and  numerous  autopilot  functions. 

The  input  signals  are  processed,  combined  if  required,  limited,  and  output  Thirteen  primary  control  system 
inputs  are  of  interest  in  this  effort  the  seven  sensor  inputs  mentioned,  the  pilot  commands  in  three  axes,  and 
the  trim  inputs  in  three  axes.  Figure  3.1  depicts  the  flight  control  internal  operations  in  a  block  diagram  format 
The  full  block  diagram  is  not  shown  to  protect  proprietary  rights. 

The  pitch  control  system  converts  the  pUot  commanded  stick  force  into  a  pitch  command  gradient  which 
is  summed  with  the  trim  inputs.  This  command  is  limited  and  filteied  and  then  summed  with  autopUot  inputs 
and  sensor  feedbacks.  The  feedback  includes  a  combination  of  angle  of  attack,  pitch  rate,  and  normal  load  factor 
and  an  angle  of  attack  limiting  function  which  is  based  upon  the  flight  condition  and  inputs  from  the  roll  axis. 
The  summed  signal  is  scaled  and  limited  prior  to  entry  into  the  elevator  command  proportional  plus  integral  (PI) 
control  loop.  The  output  of  the  PI  controller  is  sent  to  the  control  surface  mixer. 

The  roll  control  system  converts  the  roll  command  in  lbs  to  a  roll  command  in  g's  via  a  roll  command 
gradient.  This  signal  is  filtered  and  summed  with  the  roll  trim  command,  autopilot  command,  and  the  filtered 
roll  rate  feedback.  The  summed  signal  is  limited  and  sent  to  the  aileron  rudder  interconnect  (ARI)  and  the 
control  surface  mixer. 

The  ARI  uses  the  signal  from  the  roll  axis  and  the  angle  of  attack  to  develop  a  coordinating  input  for  the 
yaw  axis.  The  block  diagram  routes  a  signal  through  the  ARI  to  produce  a  differential  tail  command  sent  to 
the  control  surface  mixer. 

The  yaw  axis  produces  a  command  conversion  similar  to  the  pitch  and  roll  axes.  This  command  is  filtered 
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and  scakd  according  to  the  flight  condition,  angle  of  attack,  and  limited  angle  of  attack.  This  process  is  not 
explicitly  shown  in  Figure  3.1  due  to  proprietary  restrictions.  The  scaled  input  is  summed  with  the  yaw  trim 
command  and  sumriKxl  functions  of  the  yaw  rate,  lateral  acceleration,  and  ARI  output.  The  signal  is  passed 
through  a  yaw  structural  Filter  and  sent  to  the  control  surface  mixer. 

The  leading  edge  flap  is  an  autonomous  control  surface  with  no  differential  actuation  between  left  and  right 
wings  possible.  The  leading  edge  flap  command  is  generated  by  taking  the  output  of  the  sensor  and  sending 
it  through  a  limiter,  filtering  it,  scaling  the  signal,  and  summing  it  with  a  bias  (omitted  from  Figure  3.1)  and 
a  function  based  upon  dynamic  pressure,  static  pressure,  and  total  pressure.  The  signal  passes  through  a  function 
designed  to  select  the  larger  of  the  signal  or  another  generated  function.  The  larger  signal  is  selected,  limited, 
and  sent  to  the  control  surface  mixer. 

The  control  surface  mixer  provides  software  rate  and  position  limiting  functions.  This  function  is  often 
called  "anb-windup"  compensation  [6,7]  (Anti-windup  compensation  is  essential  for  PI  controllers).  The 
stabilator  (elevator)  portion  of  the  control  surface  mixer  accepts  inputs  from  the  pitch  axis,  the  ARI  (not 
explicitly  shown  in  Figure  3.1) ,  and  the  roll  axis.  The  ARI  and  roll  signals  are  added  to  the  pitch  signals  in 
the  right  stabilator  path  and  subtracted  from  the  pitch  signal  in  the  left  stabilator  path.  After  the  signal 
summabon,  each  path  is  limited,  differentiated,  rate  limited,  integrated,  and  sent  through  the  actuator.  The 
actuators  have  posibon  and  rate  limits  given  in  Table  3.3.  The  roll  axis  contains  a  summing  scheme  (ix)t 
explicitly  shown  in  Figure  3  *o  proprietary  rights)  to  conbx)l  the  roll  inputs  at  the  higher  command 

levels.  The  signal  at  the  roll  command  poibon  of  the  surface  command  mixer  limits  the  command, 
differenbates,  rate  limits,  integrates  and  sends  the  signal  to  the  actuator.  The  signal  sent  to  the  yaw  axis  portion 
of  the  control  surface  mixer  is  limited,  differentiated,  rate  limited,  integrated,  and  sent  to  the  rudder  actuator. 
The  signal  sent  to  the  leading  edge  flap  control  surface  mixer  is  summed  with  an  error  feedback  (not  explicitly 
shown  in  Figure  3.1  to  protect  proprietary  rights),  scaled,  limited,  filtered,  rate  limited,  scaled,  mechanically 
limited,  and  sent  to  the  actuator. 
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3.5  Actuator  Failures 


Actuator  failures  are  grouped  into  two  categories:  bard  and  soft  Hard  failures  are  represented  as  tbe 
complete  loss  of  actuator  control  with  the  surface  trailing  edge  positioned  at  zero  degrees  of  deflection.  Tbe 
leading  edge  flap  is  not  included  in  the  failure  scenarios.  This  surface  is  not  flight-critical  and  its  inclusion  only 
complicates  the  ambiguity  problems  with  the  other  flight-critical  surfaces.  While  the  leading  edge  flap’s 
omission  simplifies  the  ambiguity  issues,  a  filter  could  be  designed  to  detect  this  failure  if  desired.  As 
mentioned  in  Chapter  1 ,  hard  actuator  failures  are  modeled  by  zeroing  out  columns  of  the  B  matrix. 

Soft  failures  are  represented  as  a  partial  loss  of  actuator  control  authority  (as  opposed  to  modelling  a  soft 
failure  as  a  partial  loss  of  actuator  rate  capability).  Arbitrary  percentages  are  selected  to  represent  the  loss  of 
control  authority.  The  critical  issue  is  whether  the  algorithm  will  be  able  to  blend  the  outputs  of  the  fully 
futKtional  filter  with  the  appropriate  hard  failure  filter  to  achieve  the  proper  control  for  the  soft  failure  scenario. 
The  soft  failures  are  introduced  by  multiplying  the  appropriate  column  of  the  B  matrix  in  the  truth  model  with 
the  percentage  of  control  authority  available. 

3.6  Sensor  Failures 

Sensor  failures  are  grouped  into  two  categories:  hard  and  soft  Hard  sensor  failures  are  nxxlelled  by 
assuming  tbe  complete  loss  of  tbe  sensor's  output.  All  of  tbe  flight-critical  sensors  are  included  in  tbe  model. 
A  hard  sensor  failure  is  represented  by  zeroing  out  the  appropriate  row  of  the  //  matrix.  Unlike  actuator  failures 
in  which  one  surface  can  affect  many  different  residuals,  sensor  failures  have  a  direct  relationship  to  tbe 
associated  scalar  residuals  and  are  easily  detected. 

Soft  sensor  failures  are  modelled  by  assuming  increased  sensor  noise  (as  opposed  to  a  bias).  Soft  sensor 
failures  are  represented  by  increasing  the  appropriate  sensor  variance  in  the  sensor  noise  covariarK:e  matrix,  R, 
within  the  truth  model.  Detection  of  a  soft  sensor  failure  is  considerably  harder  when  the  elemental  variance 
itKrcment,  from  the  sensor  noise  covariance  matrix,  is  small. 
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3.7  Multiple  Failures 

Multiple  failures  include  all  of  the  two-failure  combinations:  dual  bard  actuator  failures,  dual  hard  sensor 
failures,  hard  actuator  and  sensor  failures;  dual  soft  actuator  failures,  dual  soft  sensor  failures,  soft  actuator  and 
sensor  failures;  combinations  of  hard  actuator  with  soft  sensor  failures,  and  combinations  of  soft  actuator  with 
hard  sensor  failures.  Multiple  failures  are  implemented  using  the  "moving  bank"  hierarchical  structure  described 
in  Chapter  2.  Multiple  failures  are  implemented  according  to  a  delay  sequence,  with  the  time  between  failures 
selected  by  the  user.  Multiple  failures  require  the  generation  of  a  bank  of  Filters  designed  for  the  First  failure 
and  any  second  failure  including  a  no-failuie  filter.  In  actuality,  the  MMAE  algorithm  being  tested  accounts 
for  all  hard  failure  combination  scenarios;  it  is  the  full,  implementable  algorithm  vs.  a  "stripped  down"  version 
with  less  than  the  full  complement  of  level-one  bank  Filters.  Partial  failures  provide  an  example  of  the 
robustness  of  the  MMAE  algorithm,  to  be  handled  by  blending  the  estimates  from  the  appropriate  hard-failure 
elemental  Filter  and  the  fuUy-functional  aircraft  elemental  filter.  Chapter  2  provides  detailed  insight  into  the 
philosophy  of  the  "moving  bank"  structure  and  questions  of  interesL 

3.8  Dither  Signal  Design 

A  dither  signal  is  deFuied  in  this  thesis  as  an  intentional  stimulus  imposed  on  the  system  with  the  expressed 
purpose  of  improving  the  MMAE  algorithm’s  ability  to  identify  a  failure.  A  variety  of  dither  signals  are 
explored  in  this  research  effort  including:  sine  wave,  modiFied  sine  wave,  square  waves,  triangle  waves,  and 
modiFied  pulse  trains.  Two  philosophies  are  employed  throughout  the  dither  signal  process.  There  exist 
situations  in  which  one  prefers  the  dither  signal  to  be  of  a  subliminal  nature,  such  as  nominal  in-flight  conditions 
for  long  periods  of  time.  Additionally,  there  exist  emergency  situations  in  which  a  failure  must  be  positively 
identiFied.  In  this  scenario,  the  requirement  for  a  subliminal  dither  is  secondary  to  the  necessity  for  complete 
and  correct  failure  characterization.  Automated  failure  ideotifleatioo  requires  no  pilot  intervention.  By 
automating  the  identiFication  process,  an  excitation  signal  can  be  optimized  to  provide  good  failure  detection 
performance.  To  preserve  steady  state  flight  conditions  aixl  provide  good  excitation,  "pulse  train"  signals  were 
investigated.  The  single  pulse  and  inverted  pulse  combinations,  properly  tuned,  provide  good  excitation  and 
good  perfonnance  but  have  a  basic  flaw.  The  signals  repeat  every  3.0  seconds.  Thus  a  failure  could  exists 
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Figure  3.2  Dither  Signal  Wave  Forms 

between  pulses  for  up  to  3.0  seconds.  This  may  be  unacceptable  in  some  flight  conditions.  In  the  other 
extreme,  bringing  the  pulses  closer  together  produces  the  same  effect  as  a  continuous  sine  wave.  Variations 
between  these  two  signals  demonstrate  the  designer's  attempt  to  minimize  dismption  of  steady  state  response 
while  still  providing  sufficient  excitation  necessary  for  good  algorithm  performance.  Figure  S.2  presents  the 
dither  signal  wave  forms  investigated  in  this  thesis. 

The  generation  of  subliminal  dither  signals  implies  some  constraints  on  the  magnitude  aixl  frequency  of 
acceptable  dither  signals.  In  this  thesis,  intuitive  reasoning  and  previous  harxUing  qualities  experience  set  the 
magnitude  of  the  dither  signal.  The  dither  signal  is  not  allowed  to  produce  more  than  +/-  0.1  g's  in  the 
longitudinal  axis  or  0.2  g's  in  the  lateral  directional  axis.  The  frequency  requirement  is  not  as  clear.  In  the 
pulse  train,  the  frequency  requirement  is  dictated  by  identification  characteristics.  It  did  not  appear  that  the 
frequency  for  good  ideotification  resulted  in  a  noticeable  increase  in  RMS  g  between  pulses.  In  contrast  the 
sine  wave  form  did  produce  changes  in  the  RMS  g  levels  since  the  wave  is  continuous.  The  frequency  is 
selected  by  good  identification  criteria,  minimal  deviations  firom  steady  state,  and  the  occurretKe  of  any 
deviations  in  state  variables  that  might  be  considered  objectionable  by  a  pilot 

Non-subliminal  dither  signals  could  be  used  in  an  emergency  situation  to  identify  the  current  system's 
configuration  and  capabilities.  The  criteria  for  the  selection  of  the  dither  signal  in  this  application  include 
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unconstrained  accelerations  at  the  pilot  station  (up  to  a  reasonable  physical  limit).  The  signal  frequency  and 
strength  are  determined  by  good  identification  capabilities.  These  signals  would  certainly  be  noticeable  to  a  pilot 
but  will  provide  excellent  identification  performance.  Chapter  4  provides  evidence  for  the  observations  listed 
in  this  section. 

3.9  Step-by-Step  Outline 

The  analysis  process  is  described  below  in  a  step-by-step  process.  Within  each  step,  the  appropriate 
computer  codes  are  identified.  This  section  does  not  attempt  to  identify  every  detail  necessary  to  design  and 
run  the  MMAE  simulation,  but  rather  to  give  the  user  an  overview  of  what  steps  are  necessary  to  execute  the 
design  and  simulation  and  the  accompanying  thought  process. 

GENERAL:  SIMULATION  CODES  OF  INTEREST; 

MMAE  SIMULATION  -  This  code  nms  the  MMAE  computer  simulation  of  the  VISTA  flight 
control  system.  It  uses  many  subroutines  (See  Ar).  C  -  Code  Description).  The  VISTA  subroutine  can  be 
removed  and  replaced  with  any  other  flight  control  subroutine.  Changing  the  subroutine  will  require  a  change 
to  the  MMAE  code  since  it  is  unlikely  that  the  number  of  sensors  and  actuators  would  be  equivalent. 

STAND  ALONE  VISTA  F-16  FLIGHT  CONTROL  SYSTEM  -  This  code  computes  the  flight 
control  system's  trim  conditions  for  a  desired  flight  condition.  The  code  stores  the  flight  control  system's  trim 
values  for  every  internal  and  external  variable  of  interest  This  is  a  desirable  feature  since  the  alternative  is  to 
run  the  MMAE  simulation  code  for  an  extra  period  of  time  to  And  the  trim  state.  The  MMAE  simulation  code 
is  computationally  intensive,  and  adding  additional  run  time  is  undesirable. 

GENESIS  -  The  GENESIS  simulation  is  a  six-degree-of-fieedom  nonlinear  simulation  with  a  full 
set  of  VISTA  F-16  flight  control  laws  [not  included].  The  simulation  allows  for  the  examination  of  internal 
variables  within  the  flight  control  system.  It  produces  trim  states  and  linearized  models.  Linearized  models  are 
necessary  for  the  implementation  of  the  truth  and  design  models  within  the  MMAE  simulation.  In^lementing 
the  full  non-linear  data  base  would  be  difficult  and  computationally  intensive  as  well  as  unnecessary.  A 
reasonable  linearized  model  provides  excellent  results  for  the  short  periods  of  simulation  run  time.  The 
simulation  contains  output  options  as  well.  The  simulation  can  produce  high  quality  laser  plots  of  virtually  any 
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desired  control  sequence  or  any  state  variable  trace  with  time. 

MATRIXx  -  This  code  [151  resides  at  both  AFTT  and  Wright  Laboratories.  MATRIX*  provides 
the  user  m  ith  the  capability  to  design  and  manipulate  high-order  state  space  models.  The  elemental  filters  are 
constructed  using  MATRIXx.  Additionally,  MATRIXx  allows  for  high  quality  la."er  plotting  of  results. 

MATRIXx  FILTER  DESIGN  MACROS:  KFEVAL  -  This  code  calculates  the  steady  sUte 
measurement  noise  strength  matrix  Q,  and  state  covariance  matrix,  for  the  elemental  filters.  This  code  was 
written  by  Dr  Peter  Maybeck.  Only  part  of  the  code  is  used  within  the  filter  creation  sequence. 

SETUPBX  (where  X  is  1 ,2,...  #  of  banks)  -  This  code  is  used  as  a  subroutine.  This  code  sets  up 
the  filters  in  banks. 

MATRIXx  PLOTTING  ROUTINES:  GENPLTXX  (where  XX  is  Al,  A2,  A3,  A4,  A5,  SI,  S2, 
S3,  S4,  S5,  S6,  or  S7)  -  This  code  creates  hard  copies  of  the  plots  in  MATRIXx.  It  is  executed  within 
MATRIXx  and  produces  probability  strip  charts. 

GENRESID  -  This  routine  generates  residual  plots  within  MATRIXx  and  is  similar  in  operation 
to  GENPLTXX. 

STEP  1  Using  GENESIS  or  any  other  applicable  code,  generate  a  linearized  aerodynamic  model  of  the 
vehicle  of  interest.  A  code  that  allows  the  user  to  generate  model  responses  to  control  stimuh  should  be 
selected.  This  w  ill  allow  the  user  to  check  his  model  and  control  system  against  the  full  nonlinear  system  prior 
to  incorporation  into  the  MMAE  simulation. 

STEP  2  Design  or  simulate  a  control  system  to  couple  with  the  linearized  model.  The  system  should  be 
a  stand-alone  system  to  check  against  the  full  nonlinear  system  and  to  generate  a  aim  file  for  the  MMAE 
simulabon  controller. 

STEP  3  Construct  the  measurement  noise  covariance  matrix  K  by  evaluating  the  RMS  noise  of  the  control 
system's  sensors. 

STEP  4  Compute  the  strength  of  the  white  noise  approximations  for  the  Dryden  wind  disturbance  model, 
Q.  by  evaluating  the  average  noise  strength  for  u,  a,  q,  p,fi,  r,  and  couplings  of  these  variables  using  PSD  plots 
(8.9,181.  Construct  the  Q  matrix. 
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STEP  5  Design  the  filters  by  running  the  MATRIX*  MACRO  FILECREATE.MXX.  This  routine  will 
construct  the  filters  using  the  Q  matrix  in  local  memory  and  the  R  matrix  also  in  local  memory.  The  linearized 
model  must  be  placed  into  the  local  (temporary)  memory  as  well.  After  the  macro  executes,  the  filters  can  be 
found  in  the  directory.  Step  7  explains  the  filter  naming  convention.  Perform  an  'Tsave  variable  names 
filcnanK.dat"  in  MATRIX*  before  exiting  to  save  the  linearized  model,  the  initial  design  state  and  noise 
covariances  and  disturbance  models  to  a  data  set 

STEP  6  The  MMAE  simulation  needs  6  data  files  to  allow  proper  execution.  ( 1 )  Data  file  DECLARR.TXT 
provides  a  common  block  structure  used  within  every  routine  and  subroutine  in  the  MMAE  simulation  code. 
A  FORTRAN  "include  DECLARR.TXT'  within  every  routine  and  subroutine  allows  a  single  data  file  to  exist 
with  all  the  variable  declarations.  This  provides  for  fast  and  simple  variable  additions,  deletions,  common  block 
structure,  and  variable  declaration  changes.  (2)  Elemental  filter  data  files.  (3)  Data  file  REALS.DAT  contains 
all  of  the  real  data  variable  values  used  within  the  simulation.  (4)  Data  file  FLAGS.DAT  groups  all  of  the 
logical  variables  into  a  single  file.  (5)  Data  file  TRIM  DAT  contains  the  trim  variables  for  the  flight  control 
system  generated  by  the  stand-alone  flight  control  system.  (6)  Na.MES.DAT  contains  all  of  the  six -digit  codes 
used  by  subroutine  REDMAT.FOR  to  identify  each  elemental  filter's  name  and  bank  number  (e.g.,  FOIBI  is 
interpreted  as  niter  number  01  in  ^ank  L). 

STEP  7  Executing  the  MMAE  code  requires  the  user  to  input  the  command  "RUN  IvlMAESIM".  Prior 
to  code  execution,  the  user  should  select  a  failure  by  setting  the  appropriate  variables  within  the  data  files  and 
copying  the  elemental  filter  selected  for  a  failure  to  data  file  F02B1.  FOIBI,  F02B1,  and  P03B1  are  always  the 
truth  models  after  creation  from  the  design  macro.  The  code  uses  F01Bl.dat  as  the  no-*'»ilure  condition  for  ran 
intialization  and  will  use  this  model  until  the  first  single  failure  occurs,  upon  which  the  code  uses  data  file 
F02B I  .dat  as  the  system  model.  If  a  second  failure  occurs,  data  file  F03B 1  .dat  is  used  to  specify  the  appropriate 
system  model.  Execution  macros  exist  for  both  on-line  execution  and  batch  execution. 

STEP  8  Post-execution  options  allow  the  user  to  evaluate  the  system  performance  quickly  by  looking  at 
standard  formatted  data  files  or  by  transferring  the  data  file  MXX.DAT  to  MATRIX*  and  plotting  using  the 
GENPLTXX  routines  or  the  GENPLT  MACRO  (generates  the  entire  series  of  plots  for  all  single  hard  failures). 
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STEP  9  After  executing  the  MATRIXx  plotting  routines,  the  output  files  must  be  converted  into  the 
appropriate  printer/plotter  format.  MATRIXx  supports  a  variety  of  output  options.  This  thesis  used  the  LN03 
laser  printer  for  plots.  The  MACROS  PLOTTIE  and  PLOTRESID  contain  the  appropriate  commands.  Appendix 
D  contains  the  Matrixx  Code.  Appendix  E  contains  the  data  files  used  for  Matrixx  and  the  simulation. 

3.10  Summary 

This  chapter  has  described  the  development  of  the  aircraft  truth  model,  the  covariance  model,  the  actuator 
model,  the  Dryden  wind  model,  and  the  discrete  gust  model.  The  design  model  development  was  presented 
assuming  Ist-order  actuators  and  a  0-order  wind  model.  A  functional  description  of  the  VISTA  F-16  flight 
control  system  was  outlined  and  the  actuator/sensor  failure  methodology  developed.  A  section  on  dither  signals 
and  the  criteria  in  designing  and  applying  them  was  included.  The  chapter  concludes  with  a  brief  step-by-step 
general  outline  of  the  design  and  execution  process  iKcessary  to  run  the  code.  Additionally,  short  (kscriptions 
of  the  codes  and  their  associated  names  have  been  included  as  a  reference. 
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IV.  RESULTS 


4.1  General 

This  chapter  presents  data  for  single  and  multiple  failures.  Single  failures  include:  complete  (hard)  and 
partial  (soft)  actuator  failures,  and  complete  (hard)  and  incieased-noise  (soft)  sensor  failures.  Multiple  failures 
arc  generated  by  selecting  two  of  the  single  failures.  The  data  is  presented  for  single  failures  followed  by 
multiple  failures.  Single  failure  data  is  arranged  according  to  failure  attributes  in  a  hierarchical  order.  Hard 
failures  are  presented  before  soft  failures.  Within  the  hard  failure  section,  subliminal  dither  signals  are  presented 
before  non-subliminal  dither  signals.  The  dither  signal  results  are  followed  by  purposeful  commands  (i.e.  slick 
pull  and  hold).  A  subsection  demonstrating  sinusoidal  dither  commands,  in  contrast  to  pulse  repetition  dithers, 
is  included.  The  final  subsection  illustrates  residual  monitoring  characteristics.  Within  the  soft  failure  section, 
subliminal  and  non-subliminal  dithering  is  presented  using  the  same  dither  signals  evaluated  in  the  hard  failure 
section.  In  the  event  that  the  established  dither  signals  are  ineffective  in  providing  good  identification 
performance,  a  dither  signal  designed  specifically  for  enhancing  the  identifiability  of  the  soft  failure  will 
demonstrate  the  algorithm’s  performance  characteristics  (whether  acceptable  or  not).  The  soft  actuator  failures 
are  modelled  by  reducing  the  surface’s  effectiveness  by  a  percentage  value.  The  soft  sensor  failures  are 
modelled  by  increasing  the  sensor  noise  variance  by  a  multiple  factor.  Multiple  failures  require  the  creation 
of  additional  filter  "banks"  to  allow  for  two  failure  scenarios  (Chapter  2,3).  The  first  bank  (level  0)  includes 
all  of  the  single  failure  filters.  Each  of  the  filters  in  the  second  series  of  banks  (level  1)  is  designed  assuming 
a  first  failure  and  any  other  second  failure.  As  an  example,  the  left  stabilator  level  1  bank  consists  of  1 1  filters 
designed  for  a  left  stabilator  failure  and  any  other  second  failure,  a  left  stabilator  failure  alone,  and  a  no-failure 
filter.  The  no-failure  filter  allows  the  algorithm  to  back  up  to  level  0  if  a  left  stabilator  misidentification  had 
occurred. 

The  data  within  the  sections  are  presented  by  displaying  the  computed  p^  probabilities  for  each  of  the  13 
filters  in  the  filter  bank.  For  single  failure  scenarios,  only  one  bank  is  of  interest  In  some  cases,  the 
corresponding  state  time  histories  are  included  to  demonstrate  relevant  characteristics  or  to  establish  traits  from 
which  to  base  conclusions.  The  following  filter  abbreviations  are  used:  FF  -  fully  functional,  A1  -  left  stabilator 
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failure,  A2  -  right  stabilator  failure,  A3  -  left  flaperoo  failure,  A4  -  right  flaperoo  failure,  AS  -  rudder  failure, 
SI  -  velocity  sensor  failure,  S2  -  angle  of  attack  sensor  failure,  S3  -  pitch  rate  failure,  S4  -  normal  acceleration 
failure,  S5  -  roll  rate  failure,  S6  -  yaw  rate  failure,  and  S7  -  lateral  acceleration  failure.  The  state  variables  are 
represented  by  fairly  standard  abbreviations:  theta  -  pitch  attitude  angle  in  degrees,  u  -  velocity  in  fl/sec,  alpha 
-  angle  of  attack  in  degrees,  q  -  pitch  rate  in  deg/sec,  Ancg  -  normal  acceleration  in  g's,  phi  -  roll  angle  in 
degrees,  beta  -  sideslip  angle  in  degrees,  p  -  roll  rate  in  deg/sec,  r  -  yaw  rate  in  deg/sec,  and  Aycg  -  lateral 
acceleration  in  g's.  Also  of  interest  in  some  cases  are  the  residual  values.  (See  chapter  2  for  a  detailed 
explanation  of  residual  values.)  Seven  residuals  are  used  within  the  Kalman  filter  calculations:  velocity,  angle 
of  attack,  pitch  rate,  normal  acceleration,  roll  rate,  yaw  rate,  and  lateral  acceleration.  Throughout  the  chapter, 
the  text  for  a  section  will  be  presented  followed  by  the  appropriate  figures. 

4.2  Single  Hard  Failures 

Hard  failures  are  characterized  by  the  complete  loss  of  effectiveness  of  an  actuator  (and  in  this  application 
a  control  surface)  or  sensor  signal.  As  previously  mentioned  in  Chapter  2,  hard  actuator  failures  are  modelled 
by  zeroing  out  a  column  of  the  control  matrix,  B.  Hard  sensor  failures  are  modelled  by  zeroing  out  the 
appropriate  row  of  the  //  matrix.  The  data  presented  within  this  section  encompasses  results  associated  with 
cither  dither  signals  or  purposeful  commands  used  to  enhance  the  identification  of  hard  failures.  Two 
"sublimina’."  dither  signals  are  presented  within  this  section.  The  author  admits  that  there  is  the  potential  debate 
over  the  defmition  of  subliminal.  In  the  context  presented  in  this  thesis,  subliminal  is  defmed  in  terms  of  the 
state  parameters,  particularly  the  normal  and  lateral  accelerations.  Dither  signals  which  produce  accelerations 
of  less  than  +!-  0.1  g's  of  normal  acceleration  and  +!-  0.2  g’s  lateral  acceleration  are  considered  subliminal  by 
definition.  Subliminal  dither  signals  have  a  number  of  potential  applications  for  failure  detection  and 
identification  applications.  If  a  pilot  perceives  a  change  in  handling  qualities,  a  nonsubliminal  pulsed  or 
continuous  dither  signal  can  be  used  to  identify  a  failure  positively.  During  routine  flight  (flight  in  which  a 
failure  is  not  perceived  by  the  pilot),  a  subliminal  dither  signal  can  be  used.  Subliminal  dither  signals  provide 
excellent  results  for  most  applications.  A  few  difficult  situations  require  a  nonsubliminal  dither  signal  for 
identification  (dua'  failures  in  which  the  first  failure  is  an  actuator  or  surface).  This  effect  is  discussed  later  in 
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the  chapter.  If  the  pulse  is  truly  subliminal,  the  system  can  be  engaged  during  the  entire  flight  to  provide 
continuous  protection.  This  prevents  a  departure  horn  controlled  flight  should  the  pilot  attempt  a  maneuver 
without  being  aware  of  the  system’s  tme  configuration  (i.e.  failure  status).  In  such  situations,  the  algorithm  will 
identify  the  failure  prior  to  the  insertion  of  the  command.  If  not,  purposeful  commands  provide  positive 
identification  of  failures  in  most  situations.  These  effects  are  discussed  within  this  section. 

4.2.1  Subliminal  Pulsed  Dither  Signals 

The  pulsed  dither  sipnals  presented  in  this  section  are  pulse  trains  recurring  every  3.0  seconds.  The  signals 
are  characterized  by  a  positive  pulse  held  for  a  period  of  0.123  seconds  followed  by  a  negative  pulse  held  for 
a  period  of  0.125  seconds.  The  pulses  occur  at  0,  3,  and  6  seconds.  The  pulse  durations  were  determined 
empirically.  The  rationale  for  dither  pulse  design  was  to  provide  a  pulse  of  enough  duration  to  excite  the 
system,  yet  not  too  long  as  to  violate  the  subliminal  constraints.  The  pulse  application  times  were  chosen 
relative  to  the  eight  second  run  time.  A  pulse  at  zero  starts  the  identification  process  immediately  and  places 
the  probability  in  the  no-failure  filter  (all  of  the  mns  throughout  the  thesis  begin  with  the  probability  in  the  no¬ 
failure  filter).  The  pulses  at  three  and  six  seconds  into  the  simulation  are  evenly  spaced  to  demonstrate  the 
probability  characteristics  before  and  after  the  failures. 

Figure  4,1  displays  the  pj^  probabilities  for  the  bank  of  13  elemental  filters  for  a  no-failure  scenario.  This 
scenario  establishes  a  baseline  for  comparison  with  other  failure  scenarios.  Figure  4.2  contains  the 
corresponding  states.  From  Figure  4.1,  the  algorithm  correctly  identifies  the  no-failure  filler  from  the  starting 
probability  of  0.75  within  0.25  seconds.  The  probability  grows  from  0.75  to  0.988  (maximum)  within  this  tinK. 
The  excitation  of  the  pulse  forced  the  residuals,  corresponding  to  each  of  the  filters  with  incorrect  hypotheses, 
to  grow  large  as  compared  to  their  internally  computed  covariances.  In  contrast,  the  residuals  of  the  filter  with 
the  correct  hypothesis  fall  within  the  3o  bounds.  The  MMAE  algorithm  assigns  probabilities  based  upon  the 
residuals  characteristics.  Except  for  a  minor  probability  drop  out  at  5.95  seconds,  the  probability  is  locked  on 
the  fully  functional  (no-failure)  filter.  The  minor  probability  dropout  occurs  near  the  six  second  pulse,  a  time 
at  which  ambiguity  arises  due  to  the  application  of  the  pulse.  The  pulse  excites  the  system;  however,  the  pulse 
also  provides  a  transient  The  drop  out  at  5.95  seconds  is  picked  up  by  the  angle  of  attack  failure  filter.  This 
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phenomena  is  consistent  throughout  the  hard-  failure  scenarios.  It  is  an  anomaly  caused  by  a  3o  noise  spike 
which  violates  the  3o  bounds  representing  the  internally  computed  covariance  and  causes  a  momentary  loss  of 
probability,  which  happens  to  be  picked  up  by  the  angle  of  attack  failure  filter.  Note  the  probability  spike  is 
momentary,  consistent  between  cases,  and  the  algorithm  instantly  returns  the  probability  to  the  correct  filter, 
namely  the  fully  functional  aircraft  filter.  From  Figure  4.2,  the  pulse  dither  signal  can  clearly  be  observed  at 
0,  3,  and  6  seconds.  From  the  acceleration  values  within  Figure  4.2,  the  dither  meets  the  subliminal  criteria 
discussed  in  Section  4.2.1.  In  Figure  4.2,  all  of  the  variables  are  centered  around  zero  with  the  exception  of  the 
nomial  acceleration  (centered  at  1  g).  These  variables  are  relative  to  the  trim  conditions.  The  trim  angle  of 
attack  is  10.06  degrees,  as  is  the  trim  pitch  angle.  The  trim  velocity  is  414.8  ft/sec.  All  other  trim  states  relative 
to  Figure  4.2  are  zero  with  the  exception  of  the  trim  normal  acceleration  which  is  Ig.  The  reader  may  be 
disturbed  by  the  apparent  ramping  of  many  of  the  state  variables  after  the  application  of  each  successive  dither 
pulse.  A  small  change  in  the  pulse  amplitude  can  alter  the  ramping  with  no  change  in  performance,  and  the 
ramping  was  easily  controlled.  Since  the  emphasis  of  this  thesis  is  not  perfect  dither  signals  and  the  ramping 
is  easily  controlled,  the  author  didn’t  invest  any  additional  time  in  "perfecting"  the  dither  signal  to  eliminate  the 
small  ramping  effect 

Figure  4.3  demonstrates  a  left  stabilator  (Al)  failure.  The  failure  is  introduced  at  3.0  seconds.  The  failure 
is  introduced  at  this  time  to  coincide  with  the  pulse  application.  This  should  produce  the  best  algorithm 
performarKe  for  this  pulse.  Inserting  the  failure  before  the  pulse  application  would  result  in  an  undetected 
failure  until  the  application  of  the  pulse.  Inserting  the  failure  after  the  pulse,  and  resulting  transient,  will  result 
in  an  undetected  failure  until  the  next  pulse  application.  At  3.13  seconds,  the  algorithm  correctly  identifies  the 
left  stabilator  as  the  failure  (filter  Al).  At  3.8  seconds,  the  rudder,  the  right  stabilator,  the  fully  functional 
aircraft,  and  the  yaw  rate  sensor  elemental  filters  share  the  probability.  This  indicates  four  fillers  with  relatively 
equivalent  residuals  and  a  left  stabilator  with  a  poor  residual  value.  At  4.0  seconds,  the  right  stabilator  is 
misidentified  as  the  failure.  Al  4.4  seconds,  the  left  stabilator  is  correctly  and  positively  identified.  Ambiguities 
between  left  and  right  surfaces  are  common  throughout  the  results.  Whether  left  or  right,  a  stabilator  failure  was 
correctly  identified  throughout  the  simulation.  Moreover,  left  and  right  ambiguities  can  be  resolved  with 
purposeful  commands.  Also,  ambiguities  can  be  resolved  through  residual  monitoring  which  will  be 
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demonstrated  in  Section  4.2. 1.4.  For  the  VISTA  F-16,  left  and  right  stabilators  are  used  for  both  roll  and  pitch. 
Based  upon  the  dither  signals  characteristics  (pulse  polarities,  strengths,  and  relative  timing),  the  left  and  right 
stabilator  conunand  magnitudes  may  be  different.  They  will  certainly  be  small  (due  to  the  subliminal  dither 
criteria).  Upon  initiating  a  failure  in  the  truth  model,  one  of  the  signals  will  be  assigned  a  value  of  zero  in  the 
truth  model.  This  leaves  a  small  signal  to  "shake  up"  the  system.  Often  the  signal  is  not  of  sufficient  strength 
to  provide  essentially  instant  failure  detection  and  identification.  Practical  appheation  would  require  an  increased 
magnitude  dither  signal  on  the  remaining  surface  to  reestablish  the  desired  system  excitation.  Ambiguities  are 
usually  the  result  of  an  insufficient  excitation  of  the  system  or  a  delay  in  proper  identification  due  to  shaking 
up  a  system  too  much.  The  ftrst  point  we've  already  discussed.  Excessive  system  excitation  can  result  in  eitho' 
ambiguities  or  a  delay  in  identification.  When  the  transients,  generated  by  a  pulse,  approach  steady  state,  failure 
identification  occurs.  The  pitch  rate  in  Figure  4.4  demonstrates  the  reduction  in  the  system  excitation  caused 
by  the  induction  of  a  left  stabilator  failure. 

Comparison  of  Figures  4.5  and  4.3  demonstrate  the  differences  between  "sister"  actuator  failures.  The  right 
stabilator  (A2)  failure  scenario  displays  some  of  the  same  characteristics  as  the  left  stabilator  failure  scenario. 
.Ambiguities  exist  between  the  two  surfaces.  At  3.1  seconds,  the  right  stabilator  is  identified  as  the  correct 
failure.  However,  at  3.93  seconds,  the  probability  is  shared  between  the  left  flaperon  (A3),  the  mdder  (A5),  the 
right  flaperon  (A4),  and  the  left  stabilator  (Al).  The  left  and  right  stabilator  compete  for  the  probability  from 
4.0  to  4.5  seconds.  At  4.5  seconds,  the  right  stabilator  failure  is  correctly  and  positively  identified.  Here  some 
ambiguity  exists  primarily  between  the  left  and  right  stabilator  actuators.  The  differences  between  the  left  and 
right  failure  scenarios  can  be  attributed  to  the  dither  signal  characteristics  and  the  fiight  control  systeia 
Comparison  of  the  pitch  rate  signals  between  Figure  4.6  and  Figure  4.4  highlights  the  differences  between  dither 
signals  generated  under  different  failure  scenarios.  Even  with  the  relatively  small  signal  strengths,  pitch  rate 
signal  characteristics  are  obvious.  A  non-subliminal  dither  signal  or  a  purposeful  command  would  be  required 
to  provide  positive  identification  without  ambiguity  (See  Appendix  F). 

Figure  4.7  displays  a  left  flaperon  (A3)  failure  induced  at  3.0  seconds.  The  failure  is  detected  and  identified 
within  0.15  seconds.  A  drop  out  in  the  probability  occurs  at  4.2  to  4.7  seconds.  During  this  time  period,  the 
yaw  rate  failure  filter  picks  up  the  probability.  Again,  a  slightly  larger  lateral  dither  pulse  would  provide  better 
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results  and  reduce  or  eliminate  the  ambiguities.  Figure  4.8  displays  the  state  values  for  this  failure.  The  lateral 
acceleration  demonstrates  the  effect  of  the  failure  upon  the  excitation  of  the  system  (see  Figure  4.2  for 
comparison). 

Figure  4.9  presents  a  right  flaperon  (A4)  failure  induced  at  3.0  seconds.  The  right  flaperon  failure  is 
detected  and  identified  within  0.15  seconds.  A  drop  in  probability  occurs  at  4.2  to  4.7  seconds.  Ehiring  this 
time  period,  the  yaw  rate  failure  filter  picks  up  the  probability.  As  with  the  left  flaperon  failure,  a  larger  lateral 
dither  pulse  would  provide  better  results  in  reducing  or  eliminating  the  ambiguities.  It  is  of  no  surprise  that  the 
left  and  right  flaperon  failures  exhibit  similar  probability  characteristics.  The  flaperons  provide  roll  control. 
The  states  are  not  included  since  they  are  similar  to  the  left  flaperon  scenario. 

The  mdder  (A5)  failure  scenario  is  presented  by  Figures  4.10  and  4.1 1.  From  Figure  4.10,  the  mdder  failure 
is  induced  at  3.0  seconds  and  the  inappropriateness  of  the  fully  functional  (A4)  aircraft  hypothesis  is  initially 
detected  at  3.15  seconds.  The  mdder  failure  is  strongly  identified  at  3.35  seconds.  A  small  drop  out  unrelated 
to  the  tme  failure  occurs  at  5.9  seconds  and  is  picked  up  the  by  angle  of  attack  failure  filter.  This  phenomenon 
was  discussed  earlier,  and  it  is  corrected  by  the  onset  of  the  next  dither  pulse  at  6.0  seconds.  Figure  4.11 
displays  the  states  for  the  mdder  failure  scenario. 

Figure  4.12  demonstrates  the  detection  and  identification  of  a  velocity  sensor  (SI)  failure.  The  failure  is 
detected  essentially  instantaneously  at  3.01  seconds.  Figure  4.13  demonstrates  the  detection  and  identification 
of  an  angle  of  attack  sensor  (S2)  failure;  the  failure  is  detected  and  identified  at  3.04  seconds.  The  detection 
and  identification  of  a  pitch  rate  sensor  (S3)  failure  is  presented  in  Figure  4.14;  the  failure  is  induced  at  3.0 
seconds  and  detected  and  identified  at  3.18  seconds.  Figure  4.15  displays  the  detection  and  identification  of  a 
normal  acceleration  sensor  (S4)  failure.  Here,  the  failure  is  induced  at  3.0  seconds  and  identified  at  3.02 
seconds.  Figure  4.16  demonstrates  a  roll  rate  sensor  (S5)  failure,  and  the  failure  is  detected  and  isolated  at  3.2 
and  3.26  seconds  respectively.  A  larger  number  of  dropouts  occur  for  this  failure  scenario.  The  largest  spike 
occurs  just  before  6  seconds,  as  noted  previously.  Figure  4.17  presents  a  yaw  rate  sensor  (S6)  failure.  The 
failure  is  induced  at  3.0  seconds  and  detected  and  identified  at  4.6  and  4.7  seconds.  The  yaw  rate  sensor 
demonstrates  different  characteristics  than  the  other  sensors  in  that  the  there  is  a  slow  buildup  of  p^.  This  is 
due  to  a  bias  in  the  residual  which  gradually  decays  when  the  tme  failure  condition  is  a  yaw  rate  sensor  failure. 


60 


A  proposed  solution  to  this  phenomena  is  discussed  later  in  the  chapter.  Also,  a  large  spike  occurs  just  before 
the  pulse  at  6  seconds,  as  noted  previously.  Figure  4.ig  presents  the  lateral  acceleration  failure.  The  failure 
is  detected  and  identified  at  3.01  seconds. 

In  general,  the  sensor  failures  display  rapid  and  good  identification  characteristics.  The  probability  traces 
are  clean  and  exhibit  very  little  ambiguity  when  compared  to  actuator  failures.  The  actuators  tend  to 
demonstrate  more  ambiguity,  especially  between  left  and  right  similar  surfaces  (stabilators  or  flaperons),  and 
probability  convergence  is  always  slower.  The  convergence  properties  of  the  tivo  classes  of  failures  is  related 
to  their  residual  characteristics.  The  sensor  failures  appear  directly  and  instantaneously  on  single  scalar 
residuals,  while  actuator  failures  appear  through  a  number  of  scalar  residuals,  and  only  after  the  actuator  failure 
effects  become  evident  through  the  system  dynamics  (with  inherent  delays). 

A  second  subliminal  dither  signal  is  included  within  this  section  to  demonstrate  the  relationship  between 
dither  signal  characteristics  (signal  polarity,  strength,  and  relative  timing)  and  failure  detection  characteristics. 
The  relative  timings  between  the  two  dithers  are  identical.  The  modification  to  the  dither  signal  occurs  in  the 
signal  strengths.  The  longitudinal  pulse  strength  was  reduced  by  2  lbs  while  the  lateral  and  directional  pulse 
strengths  were  increased  by  0.5  lbs  and  2  lbs  respectively.  Previous  experience  with  the  dither  pulses  motivated 
the  change.  Often  when  ambiguity  is  present  between  a  left  and  right  surface,  a  small  increase  in  the  lateral  and 
directional  pulse  strengths  can  help  resolve  the  ambiguity.  Too  large  an  increase  will  result  in  a  longer  delay 
period  before  proper  identification.  The  reduction  in  the  longitudinal  pulse  prevents  any  violation  of  the 
subliminal  dither  signal  criteria.  Also,  the  longitudinal  pulse  strength  reduction  from  very  large  values  reduced 
the  amount  of  system  excitation  and  resulted  in  cleaner  probability  time  histories.  Figure  4.19  estabhshes  the 
fully  functional  (no-failure)  filter.  Note  the  probability  traces  are  very  similar  to  the  first  subliminal  dither 
scenario.  Figure  4.20  displays  the  corresponding  state  variables.  Of  particular  interest  is  the  magnitude  of  the 
dither  pulses  reflected  in  the  lateral  acceleration,  as  compared  to  Figure  4.2.  The  first  subliminal  dither  had 
lateral  acceleration  values  between  +/-  0.1  g’s.  The  lateral  acceleration  fron*  Figure  4.20  is  between  +0.1  and  - 
0.16.  The  rationale  for  the  increases  in  lateral  pulse  strength  will  become  obvious. 

Figure  4.21  presents  the  data  for  a  left  stabilator  (Al)  failure  with  the  second  subliminal  dither  signal.  It 
is  similar  to  Figure  4.3.  The  failure  is  initially  detected  and  identified  at  3.15  seconds.  Ambiguities  exist 
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bct^vecn  the  left  and  right  stabilator  from  4.0  to  4.7  seconds.  The  left  stabilator  failure  is  detected  and  identified 
at  4.7  seconds. 

Figure  4.22  displays  the  right  stabilator  (A2)  failure.  The  failure  is  induced  at  3.0  seconds  and  detected  and 
identified  at  3.18  seconds.  Comparison  with  Figure  4J  indicates  significantly  improved  performance. 

Figure  4.23  presents  the  left  flaperon  (A3)  failure.  The  ambiguity  between  the  left  flaperon  and  the  yaw  rate 
failure  filters  in  Figure  4.7  is  eliminated.  Ambiguity  is  usually  caused  by  insufficient  system  excitation.  By 
increasing  the  lateral  excitation,  the  ambiguity  is  eliminated. 

Figure  4.24  presents  the  right  flaperon  (A4)  failure.  Again,  the  ambiguity  is  eliminated. 

The  rudder  (A5)  failure  is  nearly  identical  to  Figure  4.10.  It  is  not  included. 

All  of  the  sensor  failures  are  nearly  identical  to  those  presented  in  Figures  4. 1 2  to  4.20  with  the  excephon 
of  the  yaw  rate  failure.  Figure  4.25  presents  the  yaw  rate  (S6)  failure.  The  failure  is  detected  and  identified 
at  4.25  seconds,  as  compared  to  4.6  sec  and  4.7  sec,  respectively,  for  the  fust  subliminal  dither  signal  presented 
in  Figure  4.17. 

The  comparison  between  the  two  subliminal  dither  signals  is  designed  to  demonstrate  differences  in  dither 
signals.  A  dither  signal  can  be  designed  to  provide  good  performance  for  any  failure  scenario.  The  second 
dither  signal  was  designed  to  provide  good  failure  identificatioo  for  all  failures  and  excellent  identification  for 
the  flaperon  actuator  failures.  A  combination  of  pulses  designed  to  provide  excellent  performance  identification 
for  each  actuator  could  be  utilized  in  a  failure  identificatioo  mode.  The  pilot  could  select  this  mode  and 
positively  identify  the  failure. 

4.2.2  Non-Subliminal  DUher  Signals 

Non-subliminal  dither  signals  are  considered  purposeful  commarxls  within  this  thesis.  Appendix  F  includes 
a  paper  by  Menke  and  Maybeck  which  provides  a  direct  comparison  between  subliminal  and  non-subliminal 
dither  signals.  The  results  indicate  failures  can  be  positively  identified  if  no  restrictions  are  placed  on  the  dither 
strength.  This  is  basically  a  purposeful  command. 


62 


1 


5 


6 


7 


8 


2 

Time 


(seconds) 


Fiqura  4.3  State*  for  no  failure  acenario 

using  aubllainal  dither  signal  1 


r  a  right  atabilator 
dither  aigi<al  1 


1 


5 


6 


7 


Figure  4 


2 

Time 


(seconds) 


,6  state*  for  a  right  »tabil*tor  failure 
using  subliminal  dither  lignal  1 


68 


Ancg  q  alpha 


01  2345678 

Time  (seconds) 
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Figur*  4.13  Probabilities  for  a  velocity  aensor  failure 
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Figure  4.15  Probabilities  for  a  normal  acceleration  sensor 
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4.2.3  Purposeful  Commands 

Purposeful  commands  are  presented  to  demonstrate  tbe  MMAE  algorithm’s  ability  to  detect  and  isolate 
failures  during  maneuvering  flight.  Figuies  4.26  -  4.30  demonstrate  the  detection  and  isolation  during  a  roll 
command.  The  results  indicate  excellent  performance.  Sensor  failure  results  are  not  included  since  these  results 
are  excellent  as  well,  as  they  were  with  no  purposeful  commands.  During  a  purposeful  command,  the  dither 
pulses  in  that  channel,  as  presented  previously,  are  suspended.  The  roll  command  used  to  generate  Figures  4.26 
-  4.30  is  a  roll  and  hold  of  1 3.5  lateral  stick  lbs  from  3.0  to  4.55  seconds.  The  side  stick  application  times  were 
selected  to  coincide  with  the  failure  insertion  at  3.0  seconds  and  to  demonstrate  the  detection  capabihty  with  the 
command  in  and  with  the  command  released.  A  pull  and  roll  command  provided  additional  results.  The  aircraft 
was  rolled  by  applying  13.5  lbs  of  lateral  stick  from  2.95  to  3.15  seconds.  At  3.15  seconds,  the  lateral  force 
was  reduced  to  10.0  lbs  and  a  longitudinal  command  of  13.5  lbs  was  introduced.  All  commands  were  removed 
at  4.55  seconds.  The  results  are  very  similar  to  Figures  4.26  -  4.30  with  the  exception  of  the  rudder  failure 
detection  scenario.  During  the  roll  and  pull  maneuver,  the  isolation  of  the  rudder  failure  required  an  additional 
2.4  scxonds  (time  of  failure  isolation  was  6.15  seconds).  During  a  multi-axis  maneuver,  the  system  may  be 
excited  too  much,  producing  a  larger  delay  for  failure  detection  and  isolation. 

The  application  of  a  rudder  kick  and  hold  resulted  in  a  misidentification  of  the  rudder  failure  for  a  yaw  rate 
sensor  failure.  The  rudder  input  is  applied  at  2.95  seconds  with  a  magnitude  of  40  lbs.  The  probability  strip 
charts  can  be  found  in  Appendix  A.  plots  A.30  through  A. 43.  The  misidentification  occurs  as  long  as  the  rudder 
is  held.  Releasing  the  rudder  produces  the  correct  failure  identification  at  the  application  of  the  dither  pulse. 
To  date,  over  1000  data  runs  have  been  conducted,  nearly  2000  in  fact,  with  only  one  misidentification.  Some 
non-identifications  have  occurred  due  to  insufficient  signal  strength  of  the  input  or  too  active  a  signal  resulting 
in  large  transients,  which  delay  the  identification  process. 
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4.2.4  Subliminal  Sinusoidal  Dither  Signals 

The  subliminal  sinusoidal  dither  signal  is  a  continuous  dither  signal  in  a  sine  wave  form.  The  frequency, 
established  by  empirical  methods,  is  2.39  Hz.  The  magnitudes  of  the  three  pulses  are  chosen  based  upon 
empirical  data.  The  frequency  and  magnitudes  were  established  by  attempting  provide  sufiicient  excitation 
for  good  failure  detection  and  identification  while  minimizing  longitudinal  and  lateral  directional  accelerations 
and  attempting  to  maintain  a  steady  state  trim  condition.  The  advantage  of  a  continuous  pulse  is  that  the  failure 
can  be  detected  at  any  time.  A  repeating  pulse  train  with  3  second  intervals  between  pulses  cannot  detect 
failures  for  all  time  between  pulses,  particularly  just  before  the  subsequent  pulse.  The  MMAE  algorithm  is 
ba.sed  upon  large  relative  differences  between  residuals  of  elemental  filters  based  upon  different  hypotheses. 
This  requires  a  system  excitation.  A  continuous  dither  signal  continuously  excites  the  system  and  provides 
constant  failure  detection  capability. 

Figure  4.31  demonstrates  the  no-failure  (FF  -  fully  functional)  scenario  for  a  continuous  sinusoidal  dither 
signal.  The  correct  hypothesis  is  detected  and  identified  within  0.4  seconds  from  the  initial  couditions.  Figure 
4.32  presents  the  corresponding  state  values.  Note  after  the  initial  transients,  the  normal  acceleration  oscillates 
between  0.95  and  1.05  g's.  The  lateral  acceleration  oscillates  between  -0.15  and  +  0.15  g’s.  The  apparent 
growtii  in  amplitude  w  ith  time  is  of  no  concern  as  the  lateral  acceleration  achieves  a  steady  state  value. 

Figure  4.33  presents  a  left  stabilator  (Al)  failure  induced  at  3.0  seconds.  The  failure  is  detected  and  locked 
at  3.2  seconds.  A  few  dropouts  occur  in  the  left  stabilator  probability  trace  during  the  mn;  however,  the 
dropouts  are  of  very  short  duration  and  do  not  seriously  affect  the  system  performance.  The  ambiguity  with  the 
right  stabilator,  left  flaperon,  and  roll  rate  sensor  make  physical  sense.  A  left  stabilator  failure  would  reduce 
the  pitch  rate,  introduce  a  roll  rate,  reduce  the  normal  acceleration,  modify  the  yaw  rate,  and  change  the  lateral 
acceleration  and  change  the  velocity.  These  effects,  coupled  with  the  reduced  excitation  inputs  from  the 
stabilators,  produce  insufficient  residual  growth.  By  simply  increasing  the  signal  to  the  remaining  stabilator,  the 
ambiguities  can  be  resolved.  Figures  4.3  and  4.21  display  the  same  ambiguity  characteristics  for  a  left  stabilator 
failure  for  pulse  dithering  signals. 

Figure  4.34  shows  a  right  stabilator  (A2)  failure  induced  at  3.0  seconds.  The  right  stabilator  probability 
"chatters"  during  the  first  2.0  seconds  from  the  failure  insertion  and  then  locks.  The  "chattering"  effect 
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dcnranstratcs  the  differences  between  the  left  and  right  stabilator  failures.  The  longitudinal  states  are  of  slightly 
lower  magnitude  for  the  right  stabilator  failure  and  the  lateral  directional  state  traces  display  more  dynami'; 
effects.  The  result  is  less  excitation  in  the  longitudinal  plane  and  more  excitation  in  the  lateral  directional  plane. 
Too  much  excitation  in  the  lateral  directional  plane  tends  to  delay  the  onset  of  probability  convergence.  In  this 
failure  scenario,  ambiguity  exists  between  the  left  stabilator,  the  mdder,  and  the  normal  acceleration  sensor 
filters.  This  scenario  is  entirely  different  from  the  left  stabilator  failure;  note,  for  instance,  there  is  no  ambiguity 
with  the  flaperons  here.  This  indicates  the  differences  in  the  control  system’s  use  of  the  stabilators.  By  failing 
the  right  stabilator,  a  diffen-nt  transient  is  produced,  resulting  in  different  residual  characteristics.  Comparison 
with  previous  pulse  dither  results  (Figures  4.5  and  4.22)  demonstrate  the  undesirable  characteristics  of  a 
continuous  sinusoidal  dither  signal.  Continuous  excitation  can  provide  more  dropouts  than  a  pulse  every  3.0 
seconds.  Figures  4.5  and  4.22  provide  "cleaner"  probability  time  histories  than  Figure  4.34. 

Figure  4.35  demonstrates  a  left  flaperon  (A3)  failure  induced  at  3.0  seconds.  The  failure  is  first  detected 
at  3.35  seconds,  locked  at  3.4  seconds,  breaks  lock  at  3.7  seconds,  and  finally  locked  at  4.0  seconds.  The  mdder 
filter  contains  a  portion  of  the  probability  during  the  3.6  to  4.0  tinie  frame.  Comparison  with  Figures  4.7  and 
4.23  demonstrate  "cleaner"  probability  traces  than  Figure  4.35.  This  characteristic  is  consistent  through  out  the 
sinusoidal  continuous  dither  scenarios. 

The  right  flaperon  (A4)  failure  is  very  similar  to  the  left  with  the  exception  of  a  larger  portion  of  probability 
being  contained  within  the  mdder  filter  during  the  3.6  to  4.0  time  frame.  Figure  4.36  demonstrates  this  failure 
scenario.  Figures  4.9  and  4.24  display  right  flaperon  failures  for  pulse  dither  signals.  A  portion  of  the 
probability  is  contained  in  the  yaw  rate  filter  in  Figure  4.9.  Virtually  no  ambiguity  exists  in  Figure  4.24,  while 
in  Figure  4.36  the  mdder  picks  up  part  of  the  probability  for  a  short  period  of  time.  Again,  the  sinusoidal  dither, 
by  virtue  of  its  constant  excitation,  produces  a  probability  time  history  with  more  drop  outs  than  the  pulse  dither 
scenarios. 

Figure  4.37  presents  the  mdder  (A5)  failure  induced  at  3.0  seconds.  The  failure  is  detected  at  3.8  seconds, 
and  finally  locked  at  5.0  seconds.  Performance  is  good  from  4.0  to  8.0  seconds.  Comparison  to  Figure  4.10 
highlights  the  sinusoidal  dither’s  characteristics.  The  continuous  excitation  produces  a  probability  time  history 
with  more  dropouts.  The  delay  time  for  the  first  pulse  dither  was  0.3  seconds.  The  delay  for  the  sinusoidal 
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dither  is  1 .0  sec  to  first  lock  and  2.0  sec  to  the  final  lock.  The  difference  in  delay  times  are  two-fold.  First, 
the  magnitude  used  in  the  sinusoidal  dither  is  smaller.  Secondly,  continuous  excitation  doesn't  produce  the  best 
results  as  soon  as  the  failure  has  been  identified.  Since  the  failure  always  occurred  at  3.0  seconds,  we  timed 
the  pulse  also  to  occur  at  3.0  seconds.  This  should  produce  the  best  results;  however,  it  is  not  a  realistic 
application  by  which  to  measure  "real  world"  performance.  The  sinusoidal  dither  signal  is  not  tied  to  any  failure 
time.  It  will  produce  consistent  results  regardless  of  the  failure  time.  A  pulse  dither  signal  with  smaller  times 
between  the  pulses  would  produce  better  results  for  a  "real  world"  application.  The  closer  the  pulses  are 
constructed  together,  the  closer  the  signal  is  to  a  continuous  dither  signal. 

All  sensor  failures  resulted  in  excellent  performance  characteristics,  as  in  the  case  with  pulse  dithers.  Due 
to  space  constraints,  sensor  performance  data  for  the  sinusoidal  dither  signal  is  not  included  but  can  be  found 
in  Appendix  A  (Figures  A.7  through  A.  13). 
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4.2.5  Residual  Monitoring 

Residual  monitoring  can  provide  an  additional  vote  in  the  declaration  of  a  failure,  as  discussed  in  Section 
2.4.  This  additional  vote  is  particularly  useful  when  resolving  ambiguities.  Seven  scalar  residuals  are  available 
for  use  in  the  detemiination  of  a  failure.  They  are  given  as  follows;  velocity,  angle  of  attack,  pitch  rate,  normal 
acceleration,  roll  rate,  yaw  rate,  and  the  lateral  acceleration.  Figures  4.38  -  4.44  demonstrate  the  scalar  residuals' 
usefulness.  The  residuals  presented  are  for  the  fully  functional  aircraft  filter  and  the  left  stabilator  elemental 
filter,  given  a  left  stabilator  failure  at  3.0  seconds.  In  each  plot,  +/-  3o  bounds  are  superimposed;  these  are 
derived  from  the  filter-computed  residual  covariance  (H  F  -h  R). 

Figure  4.38a  is  the  single  scalar  velocity  residual  for  the  fully  functional  aircraft  filter  given  a  left  stabilator 
failure  at  3.0  seconds.  The  velocity  residual  appears  white  and  is  within  the  +/-  3o  bounds  prior  to  the  induction 
of  the  failure  at  3.0  seconds.  At  3.2  seconds,  the  velocity  residual  is  no  longer  white,  appears  sinusoidal  with 
a  frequency  matching  that  of  the  sinusoidal  dither,  and  violates  the  +/-  3o  bounds.  The  residual  shows  that  the 
no-failure  hypothesis  is  correct  up  to  3.0  seconds.  Beyond  3.0  seconds,  the  no-failure  hypothesis  is  inconecL 
Figure  4..’8b  is  the  single  scalar  velocity  residual  for  the  left  stabilator  filter  given  a  left  stabilator  failure  at  3.0 
seconds.  A  sinusoidal  subliminal  dither  of  2.39  Uz  is  employed  in  a  conbnuous  fashion.  From  0  to  3.0  seconds, 
the  dither  signal  frequency  is  reflected  in  the  residual  (2.39  Hz).  Its  appearance  in  the  residual,  rather  than  a 
zero-mean  w  hite  characteristic  being  exhibited,  is  a  clear  indication  that  the  hypothesis  of  that  elemental  filter 
is  wTong  prior  to  3.0  seconds  into  the  simulation.  At  3.0  seconds,  the  correct  hypothesis  is  reflected  by  the  left 
stabilator  elemental  filter.  The  velocity  residual  shifts  within  the  3o  bounds,  a  white  zero-nrean  form  is 
displayed,  and  the  probability  soon  follows. 

Figures  4.39a,  4.39b,  4.40a,  and  4.40b  do  not  exhibit  such  clear  indications.  Figures  4.41a  and  4.41b 
demonstrates  some  of  the  frequency  characteristics  but  not  as  cleanly  as  the  velocity  residual.  Figures  4.42a, 
4.42b,  4.43a,  and  4.43b  do  not  demonstrate  clear  indications  of  a  correct  hypothesis  in  this  case. 

Figure  4.44a  is  the  lateral  acceleration  residual  for  the  fully  functional  aircraft  filter.  This  figure  shows  the 
lateral  acceleration  residual  is  white  and  within  the  +/•  3o  bounds  prior  to  3.0  seconds.  After  the  induction  of 
the  failure  at  3.0  seconds,  the  lateral  acceleration  residual  is  not  white,  has  a  frequency  matching  the  sinusoidal 
dither  signal,  and  violates  the  -t-/-  3o  bounds.  The  residual  shows  that  prior  to  3.0  seconds,  the  no-failure 
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hypothesis  is  correct  After  3.0  seconds,  the  no-failure  hypothesis  is  incorrect  Figure  4.44b,  the  lateral 
acceleration  residual,  clearly  indicates  the  failure.  From  0  to  3.0  seconds,  the  residual  violates  the  3o  bounds 
and  has  a  frequency  of  2.39  Hz.  It  is  clearly  not  white:  an  attribute  a  residual  signal  should  possess  if  the 
filter's  assumed  model  is  correct.  From  3.0  to  8.0  seconds,  the  lateral  acceleration  residual  looks  white  and  falls 
within  the  3o  bounds.  Notice  that  a  small  bias  prevents  the  signal  from  completely  falling  within  the  bounds. 

To  date,  analysis  indicates  the  velocity,  normal  acceleration,  and  lateral  acceleration  residuals  produce  the 
best  indications  of  failures.  A  detection  algorithm  could  be  developed  which  could  determine  the  "whiteness" 
of  a  residual  simply  by  counting  the  zero  crossings  during  a  time  interval.  If  residual  biases  arc  significant,  as 
in  Figure  4.44b,  then  an  estimate  of  the  bias  (as  accomplished  by  a  simple  finite-memory  averaging)  could  be 
used  to  compensate  the  residual  to  a  zero-mean  signal  before  counting  the  zero  crossings;  such  compensation 
would  also  allow  residuals  such  as  in  Figure  4.44b  to  fall  within  the  3o  bounds.  A  large  number  of  crossings 
indicating  a  w  hite  signal  and  the  correctness  of  the  filter-assumed  hypothesis.  A  relatively  small  number  of  zero 
crossings  would  indicate  a  non-random  signal  or  incorrect  hypothesis.  This  technique  would  only  work  for  a 
sinusoidal  dither  signal.  Pulse  dither  traces  do  not  demonstrate  these  attributes. 
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Figure  4.38«  Single  sceler  velocity  reelduel  for  the  fully- 
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Figure  4.41a  Single  ecalar  normal  acceleration  reaidual  for  the 

fully-functional  filter  given  a  left  atabilator  failure 
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4.3  Single  Soft  Failures 


4.3.1  Subliminal  Dither  S^nals  (actuaiors/increased  sensor  noise) 

Two  soft  failure  scenarios  were  developed  for  this  thesis  effort  a  50%  reduction  in  actuator  effectiveness 
(obtained  by  multiplying  individual  columns  of  the  B  matrix  by  0.5)  and  a  75%  reduction  in  actuator 
effects  cness.  For  the  sensors,  soft  failures  were  simulated  by  a  doubling  in  the  sensor  noise  standard  deviation 
(o)  and  a  multiplier  of  3.16  in  the  sensor  noise  o  (i.e.  a  multiplier  of  10  on  the  o^).  The  goal  of  the  soft  failure 
study  was  to  see  if  a  proportionate  combination  of  the  fully-functional  aircraft  elemental  filter  and  the 
appropriate  hard-failure  elemental  filter  could  be  used  to  indicate  a  soft  failure. 

Figure  4.45  demonstrates  a  50%  reduced  effectiveness  left  stabilator  failure  induced  at  3.0  seconds.  The 
probability  is  spread  throughout  the  actuators  and  sensors  rather  than  just  between  FF  and  A1  as  desired.  Figure 
4.46  presents  the  75%  reduced  effectiveness  left  stabilator  failure.  The  left  stabilator  filter  contains  the  majority 
of  the  probability.  From  3.8  to  4.4  seconds,  the  right  stabilator  is  misidentified  by  the  algorithm. 
Hypothetically,  the  fully  fuiKtional  and  left  stabilator  should  equally  share  probability  given  a  50%  left  stabilator 
effectiveness,  and  proportionately  share  the  probability  for  the  75%  effectiveness  cases.  The  actual  value  of 
probability  associated  with  A 1  in  the  75%  effectiveness  cases  is  between  50  and  75%  and  may  best  be  measured 
with  temporal  averaging,  but  the  remainder  is  not  confined  to  FF.  The  filters  used  in  this  section  were  tuned 
for  hard  failure  detection  performance,  and  the  tuning  was  not  readjusted  to  enhance  soft  failure  detection 
performance.  Comparison  of  Figures  4.45, 4.46,  and  4.21  demonstrate  the  progression  of  the  failure  from  50% 
to  75%  to  100%  reduced  effectiveness.  While  it  is  difficult  to  discern  any  useful  information  from  Figure  4.45 
alone,  comparison  of  Figures  4.46  and  4.21  yield  similar  characteristics.  The  ambiguity  with  the  right  stabilator 
present  in  Figure  4.21  is  also  present  in  Figure  4.46. 

Figure  4.47  demonstrates  a  50%  reduced  effectiveness  right  stabilator  failure  induced  at  3.0  seconds.  Again, 
the  probability  is  shared  between  the  actuator  and  sensor  filters.  The  right  stabilator  filter  displays  a  number 
of  probability  spikes  indicative  of  improving  residual  characteristics.  Figure  4.48  presents  the  75%  reduction 
in  right  stabilator  effectiveness.  The  right  stabilator  filter  contains  the  majority  of  the  probability  trace,  as 
desired.  Comparison  of  Figures  4.47,  4.48,  and  4.22  demonstrate  the  progression  of  the  failure  as  the  actuator 


effectiveness  is  reduced  from  50%  to  75%  to  100%.  Again,  Figure  4.47  provides  little  validation  information. 
Comparison  of  Figures  4.48  and  4.22  yield  similar  characteristics.  The  spikes  present  in  Figure  4.22  can  be 
found  in  Figure  4.48. 

Figure  4.49  presents  a  50%  reduced  effectiveness  left  flaperon  failure.  The  ftaperon  failure  produces  results 
that  are  consistent  with  theoretical  expectations,  a  sharing  of  probability  data.  This  sharing  of  probability 
produces  the  desired  blending  of  control  outputs.  Although  the  sharing  is  not  equal,  the  bounding  value  is  close 
to  50%  reduced  effectiveness.  Figure  4.50  demonstrates  the  75%  reduction  in  left  flaperon  effectiveness.  The 
left  flaperon  filter  contains  the  probability  with  some  minor  ambiguity  with  the  right  flaperon. 

Figure  4.51  demonstrates  a  50%  reduced  effectiveness  right  flaperon  failure.  The  right  flaperon  failure 
presents  improved  results  over  those  given  in  Figure  4.49.  Figure  4.52  presents  the  75%  reduction.  The 
probability  trace  is  very  clean  for  the  right  stabilator,  with  the  exception  of  ambiguity  at  3.4  to  3.6  seconds  and 
the  small  spike  in  the  angle  of  attack  elemental  filter  prior  to  the  6  second  pulse  (as  previously  noted). 

Figure  4.53  presents  a  50%  reduced  effectiveness  rudder  failure.  The  rudder  and  fully  functional  filter  share 
the  probability  after  the  insertion  of  the  soft  rudder  failure.  Figure  4.54  demonstrates  a  75%  reduction.  The 
rudder  trace  in  this  case  is  very  similar  to  the  hard  rudder  failure. 

Figure  4.55  demonstrates  the  lo  increased  noise  failure  for  the  velocity  sensor.  The  results  indicate  the 
velocity  sensor  was  not  identified  as  the  failed  sensor.  Probability  spikes  exist  in  many  of  the  actuator  filters. 
The  pitch  rate  filter  also  contains  a  small  but  consistent  portion  of  the  probability.  Increasing  the  noise  content 
to  3.160  as  shown  in  Figure  4.56  does  not  improve  the  failure  identifiabihty.  The  velocity  sensor  filter’s  scalar 
velocity  residual  indicates  a  divergent  filter.  At  this  point,  a  few  options  are  available.  First,  we  could  improve 
the  velocity  model  to  match  the  real  world  better.  A  second  option  might  be  to  reset  or  restart  the  filter  at  a 
regular  interval  in  an  attempt  to  control  its  divergence.  The  interval  at  which  the  filter  must  be  restarted  depends 
upon  the  divergence  rate  and  the  performance  degradation.  Restarting  a  filter  implies  reinitializing  the  divergent 
elemental  Kalman  filters  to  agree  with  the  fully  functional  Kalman  filter  values  (if  it  is  nondivergent),  or  with 
a  suitable  hnear  combination  of  nondivergent  filter  state  estimates.  This  technique  forces  the  filter  residuals  to 
nearly  zero  at  each  reintialization.  Such  a  modification  to  the  algorithm  is  not  included  in  this  thesis  effort 
The  angle  of  attack  soft  failure  provides  better  results.  Figure  4.57  demonstrates  the  lo  increased  noise 
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scenario.  Other  than  the  fully  functional  filter,  the  angle  of  attack  filter  contains  a  large  portion  of  the 
probability.  Figure  4.38  presents  the  3.1 6o  scenario.  The  flaperon,  rudder,  pitch  rate,  roll  rate,  and  yaw  rate 
contain  small  but  consistent  portions  of  the  probability  trace.  The  angle  of  attack  filter  contains  a  larger  portion 
of  the  probability  and  more  probability  spikes. 

Figure  4.59  demonstrates  the  lo  increased  noise  for  the  pitch  rate  sensor.  Two  small  probability  spikes 
occur  in  the  pitch  rate  elemental  filter.  Increasing  the  noise  to  3.l6o,  Figure  4.60,  slightly  improves  the 
probability  trace.  The  aircraft  is  controllable  throughout  the  increased  noise  scenario. 

Figure  4.61  presents  the  lo  increased  noise  for  the  normal  acceleration  sensor.  While  the  probability  is 
spread  throughout  the  flaperons,  mdder,  angle  of  attack,  pitch  rate,  normal  acceleration,  roll  rate,  and  yaw  rate 
filters,  the  normal  acceleration  has  an  appropriate  spiking  phenomenon.  This  spiking  phenomenon  occurs 
throughout  the  failure  set  and  experimental  results  have  shown  that  this  phenomenon  is  indicative  of  a  filter  with 
the  correct  hypothesized  failure.  Figure  4.62  presents  the  3.16o  increased  noise  for  the  normal  acceleration 
sensor.  All  of  the  filters  experience  increased  probabilities  except  the  velocity  sensor.  The  normal  acceleration 
contains  more  probability  spikes,  indicating  improved  failure  'detection  capability  from  the  lo  case. 

Figure  4.63  demonstrates  the  lo  increased  sensor  noise  for  the  roll  rate  sensor.  The  roll  rate  probability 
trace  indicates  some  small  spiking  in  the  roll  rate  filter.  Increasing  the  noise  to  3.16o,  Figure  4.64,  yields  more 
spiking  in  the  roll  rate  filter  probability  trace.  A  small  amount  of  probability  occurs  in  the  pitch  rate  filter. 

Figure  4.65  presents  the  lo  increased  sensor  noise  for  the  yaw  rate  sensor.  The  yaw  rate  elemental  filter 
picks  up  the  probability  in  the  last  0.4  seconds  of  the  run.  Figure  4.66  demonstrates  the  3.16o  ensor  noise 
increase.  A  significantly  larger  portico  of  prebabilit;  is  evident  within  the  filter  probability  trace. 

Figure  4.67  demonstrates  the  lo  increased  sensor  noise  for  the  lateral  acceleration  sensor.  All  of  the 
actuator  elemental  filters  contain  a  portion  of  the  probability  value.  A  few  small  spikes  occur  in  the  lateral 
acceleration  elemental  filter.  Figure  4.68  presents  the  3.16o  increased  sensor  noise  scenario.  All  of  the 
actuators  contain  portions  of  the  probability.  The  sensor  traces  reveal  small  portions  of  the  probability  in  the 
angle  of  attack,  pih  fa  rate,  normal  acceleration,  roll  rate,  yaw  rate,  and  lateral  acceleration.  The  lateral 
acceleration  sensor  contains  the  spiking  phenomena  discussed  earlier.  The  algorithm  has  great  difficulty  in 
identifying  failu’e  scen^'^o,  possibly  due  to  the  fact  that  all  surfaces  can  produce  a  lateral  acceleration. 
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Trying  to  detect  a  lo  increase  in  sensor  noise  is  consistently  difficult  with  the  filters  tuned  as  originally  for  hard 
failure  detection  performance,  but  using  only  fuUy-functional  aircraft  and  hard  failure  hypotheses  for  the  basis 
of  designing  elemental  filters  does  yield  capacity  to  detect  "soft  failures"  of  the  form  of  an  order  of  magnitude 
increase  in  sensor  noise  variance,  or  50  -  75%  loss  of  effectiveness  of  actuators. 
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Figure  4 . S8  Probabilitie*  for  a  3.160  increased  seneor  noise  failure 
for  the  angle  of  attack  sensor 
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Figure  4.60  Probabilitle*  for  «  J.160  increa»e<l  lenaor  noiaa  failure 
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Figure  4.63  Probabilitlai  for  ■  3.160  increaeed  senaor  noiaa  failure 
for  the  normal  acceleration  aenaor 
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Figure  4.67  Probabilitiea  for  «  lo  Increased  sensor  noise  failure 
for  the  lateral  acceleration  sensor 
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4JJ  Sinusoidal  Dither  (sensor  bias) 

During  the  investigation  of  single  failures,  an  interesting  situation  arose.  Whenever  a  yaw  rate  failure  was 
inserted  into  the  simulation,  the  probabiUty  would  ramp  slowly  to  the  maximum  value  in  the  yaw  rate  failure 
(S6)  rdtcr  (Figure  4.17).  A  study  of  the  yaw  rate  residual  within  that  filter  identified  a  bias  that  ramped  up  until 
the  failure  occurred  and  then  proceeded  to  ramp  to  zero.  The  bias  is  believed  to  be  caused  by  the  integration 
routine;  however,  this  conjectme  has  not  been  proven  conclusively.  A  question  arose  because  of  this  bias  effect 
//  a  failure  has  been  declared  by  the  algorithm,  how  much  of  a  bias  can  exist  in  the  residual  before  the  failure 
is  masked  by  the  bias?  The  thesis  attempted  to  address  this  question  by  studying  two  sensor  bias  cases.  The 
purpose  of  this  study  was  to  investigate  the  effect  of  single  residual  biases  on  the  MMAE  algorithm 
performance.  Figure  4.69  demonstrates  the  effect  of  a  roll  rate  bias  of  0.1  deg/sec  applied  to  the  roll  rate 
residual  at  3.0  seconds  (also  the  insertion  of  a  roll  rate  failure).  Figure  4.69  shows  that  the  algorithm  has 
difficulty  in  determining  which  filter  contains  the  correct  hypothesis.  At  3.1  to  3.5  seconds,  the  roU  rate  failure 
elemental  filter  is  identified  as  the  correct  filter.  At  3.5  seconds,  the  probabiUty  leaves  the  roll  rate  failure  filter 
and  is  captured  by  the  fully  functional  aircraft  filter  until  4.6  seconds.  Notice  this  pattern  occurs  again  after  the 
second  pulse  application.  At  4.5  seconds,  the  roU  rate  failure  filter  is  deteimined  to  be  the  correct  filter.  Just 
prior  to  the  applicaUon  of  the  second  pulse,  the  probability  is  scattered  between  the  fully  functional  aircraft  filter, 
the  flapcron  failure  filters,  and  the  pitch  rate  failure  filter.  The  pulse  pattern  is  repeated  from  6.0  to  6.6  seconds. 
At  6.6  seconds,  the  roll  rate  filter  is  identified  as  the  correct  failure.  The  evidence  suggests  that  very  Uttle 
additional  bias  could  be  tolerated  without  the  complete  in^ility  of  the  algorithm  to  identify  the  correct  failure. 
An  addiUonal  mn  was  performed  for  a  bias  of  1.0  deg/sec  (not  shown).  The  results  indicated  no  detection  by 
the  roU  rate  filter  of  a  failure. 

Figure  4.70  demonstrates  a  yaw  rate  bias  of  0.01  deg/sec.  The  bias  is  inserted  with  the  yaw  rate  sensor 
failure  at  3.0  seconds.  Again,  the  purpose  of  this  study  is  to  deteimine  how  much  of  a  bias  can  be  tolerated  and 
still  provide  adequate  failure  protection.  Figure  4.70  indicates  the  identification  of  the  yaw  rate  failure  at  3.2 
seconds.  At  4.85  seconds,  the  yaw  rate  filter  loses  the  probability  to  the  fully  functional  aircraft  elemental  filter, 
the  flapcron  failure  filten,  and  the  pitch  rate  failure  filter.  The  application  of  a  second  pulse  restores  the 
probability  to  the  yaw  rate  failure  filter  for  a  nearly  identical  time  period  following  the  first  pulse  (or  1.65 
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seconds).  An  additional  run  with  the  bias  set  at  0.08  deg/sec  revealed  that  the  algorithm  could  no  longer  identify 
the  correct  filter. 
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4.4  Multiple  Failures 

Tbe  term  "multiple  failures"  in  this  thesis  is  defuied  as  two  failures.  The  only  multiple  failures  analyzed 
within  this  thesis  are  dual  hard  failures.  The  first  failure  is  induced  at  3.0  seconds.  The  second  failure  is 
induced  at  6.0  seconds,  coinciding  with  the  second  pulse  application.  The  best  system  performance  will  occur 
when  the  pulse  and  failure  occur  simultaneously.  After  the  characterization  of  the  dual  failure  performance  with 
the  failures  separated  by  3.0  seconds,  the  time  between  failures  was  reduced  until  the  two  failures  occurred 
simultaneously.  Table  4.1  presents  the  results  of  the  multiple  failure  matrix.  The  column  header  lists  the  left 
stabilator  (LS),  the  right  flaperon  (RF),  the  mdder  (RD),  Uie  velocity  sensor  (VS),  the  angle  of  attack  sensor 
(AOA),  the  pitch  rate  sensor  (PR),  the  normal  acceleration  sensor  (NZ),  the  roll  rate  sensor  (RR),  the  yaw  rate 
sensor  (YR),  and  the  lateral  acceleration  sensor  (NY).  The  right  stabilator  and  left  flaperon  were  not  included 
since  no  additional  insight  would  be  gained  by  mnning  these  failures.  The  ftrst  column  lists  all  of  tbe  second 
failures.  Any  dual  failure  scenario  can  be  evaluated  by  finding  tbe  intersection  of  the  column  and  row.  Tbe 
first  failure  is  hsted  in  the  column  heading  and  the  second  failure  is  the  intersecting  row. 

The  terminology  within  the  table  is  in  some  sense  subjective  and  is  defined  as  follows: 

ND  -  No  Detection  -  The  signal  was  not  detected  in  the 

appropriate  failed  filter 

Poor  -  Some  spiking  •  Some  probability  spiking  occurred  in 

tbe  appropriate  failed  filter 

Fair  -  Prob.  Lock  -  The  probability  in  the  appropriate  filter 

was  at  0.988  (max)  for  some  appreciable 
period  of  time 

Good  -  Lock  &  Hold  -  The  probability  in  the  appropriate  filter 

was  at  0.988  (max)  for  some  appreciable 
period  of  time  and  was  consistently  0.988 
through  the  end  of  the  simulation  mn 
(8.0  seconds). 
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ND 
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Good 

Good 

Good 
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Table  4.1  Multiple  Hard  Failure  Summary  Matrix 


The  "ND"  and  "Poor"  results  are  shaded  to  accentuate  the  problem  areas.  Particularly  evident  from  this  shading 
is  that  there  is  much  less  difficulty  if  the  Hrst  failure  is  a  sensor  rather  than  an  actuator.  In  many  cases,  this 
is  due  to  the  fact  that  the  first  failure  of  an  actuator  reduces  the  abiUty  to  apply  significant  dither  excitation 
(because  of  the  failed  actuator)  to  allow  desirable  detection  of  the  second  failure.  This  can  be  addressed  in  final 
implementation  by  modifying  the  appropriate  dither  once  a  Hrst  actuator  failure  has  been  declared.  This  is 
explored  later  in  Section  4.4.4. 
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The  complete  set  of  rcsults  can  be  found  in  Appendix  A.  A  portion  of  those  results  will  be  presented  within 
this  section.  The  criteria  for  presentation  within  this  section  is  to  demonstrate  dual  actuator  failures,  dual  sensor 
failures,  combinations  of  actuator  and  sensor  failures;  to  present  examples  of  the  subjective  rating  system  for 
each  category  (ND,  poor,  fair,  and  good);  to  demonstrate  differences  between  the  order  of  two  failures;  and 
finally,  to  show  examples  of  improved  excitation  and  the  effect  on  algorithm  identification  perfomiance.  All 
of  the  results,  generated  with  the  subliminal  dither  pulse,  presented  in  Table  4.1  are  based  upon  a  pulse  train 
dither  occurring  every  3.0  seconds  (the  same  pulse  used  in  the  single  failure  section). 

Multiple  failures,  in  this  case  dual  failures,  were  represented  conceptually  in  Section  2.5.  The  level  0 
designation  represents  the  first  no-failure  condition.  The  filters  within  this  bank  consists  of  a  fully-functional 
aircraft  filter,  five  single-actuator-failure  filters,  and  seven  single-sensor-failure  filters.  The  next  level  is  assigned 
the  designation  of  level  1.  Each  level  1  filter  bank  assumes  a  first  failure  has  already  occulted.  The  filters 
within  these  banks  consists  of  a  no-failure  filter  (to  allow  the  algorithm  the  ability  to  back  out  of  the  structure 
to  level  0  in  the  case  of  a  misidentification),  five  actuator  filters  designed  for  an  assumed  failure  and  any  other 
second  failure,  and  seven  sensor  failures  designed  for  an  assumed  failure  and  any  other  second  failure.  CThe 
elemental  filter  that  duplicates  the  single  assumed  failure  is  the  only  exception  -  it  assumes  only  that  one  single 
failure.)  As  an  example  for  a  left  stabilator  failure,  from  0  to  3.0  seconds  the  probability  would  be  in  the  level 
0  fully-functional  aircraft  filter.  Following  the  detection  of  a  left  stabilator  failure,  sometime  after  the  insertion 
of  that  failure  at  3.0  seconds  into  the  simulation,  the  probability  would  collect  in  the  level  0  left  stabilator  filter 
(A  1 )  until  the  probability  was  above  0.9  for  more  than  10  sample  periods  (this  switching  criterion  is  used  to 
reduce  erroneous  bank  switching  compared  to  what  would  result  from  a  probability  threshold  less  than  0.9  or 
froma  time  threshold  less  than  10  sample  periods).  After  the  bank  switching  criterion  was  met,  the  algorithm 
would  switch  to  the  left  stabilator  (Al)  level  1  bank.  This  bank  contains  13  filters:  the  no-failure  (FF)  filter, 
a  left  stabilator  failure  alone  (Al)  filter,  four  actuator  filters  each  designed  for  a  left  stabilator  failure  and  the 
appropriate  actuator  failure  (i.e.,  left  and  right  stabilator  (A2)  failures,  left  stabilator  and  left  flaperon  (A3) 
failures  ,  left  stabilator  and  right  flaperon  (A4)  failures,  and  left  stabilator  and  rudder  (A5)  failures),  and  seven 
sensor  fillers  each  designed  for  a  left  stabilator  and  any  other  sensor  failure  (i.e.,  left  stabilator  and  velocity 
sensor  (SI)  failures,  left  stabilator  and  angle  of  attack  sensor  (S2)  failures,  left  stabilator  and  pitch  rate  sensor 
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(S3)  failures,  left  slabilator  and  normal  acceleration  sensor  (S4)  failures,  left  stabilator  and  roll  rate  sensor  (S5) 
failures,  left  stabilator  and  yaw  rate  sensor  (S6)  failures,  and  the  left  stabilator  arxl  lateral  acceleration  sensor 
(S7)  failures).  The  level  1  bank  is  not  brought  "on-line"  until  after  a  filter,  other  than  the  fully-functional  filter, 
has  met  the  switching  cntcrion  discussed  previously.  At  this  point  the  bank  is  switched  to  the  appropriate  level 
1  bank.  To  conserve  space,  the  probability  tiine  histories  for  the  level  0  and  level  1  banks  are  displayed  on  the 
same  strip  charts.  To  identify  quickly  whether  the  algorithm  has  switched  banks,  apply  the  following  criteria: 

( 1)  the  fully  functional  filter  must  not  contain  any  appreciable  (more  than  104fc)  portion  of  the  probability,  (2) 
tlK  first  filter  to  have  more  than  90%  of  the  probability  for  greater  than  10  sample  periods  (0.15625  seconds) 
will  be  the  level  1  bank  the  filter  will  bring  "on-line".  Also,  a  "Bank  Switch"  time  designation  is  provided  at 
the  top  of  tlie  first  strip  chart  for  convenience.  At  that  point,  the  designations  for  each  of  the  filters  change 
meaning.  The  designation  A1  no  longer  means  a  single  left  stabilator  failure.  It  implies  the  first  failure,  that 
the  algoritlim  identified  as  meeting  the  necessary  conditions  to  switch  the  bank,  and  a  left  slabilator  failure.  This 
IS  tme  for  all  of  the  filter  dcsignaUons.  Obviously,  one  filter  in  the  twelve  failure  filters  will  be  a  single  failure 
alone  filter  (i.e.,  A1  would  still  be  a  left  stabilator  only  filter  if  the  level  1  bank  is  the  left  stabilator  failure 
bank). 

4.4.1  Subliminal  Luther  Signals 

Figure  4.71  presents  the  dual  slabilator  failure.  Al  3.0  seconds,  a  left  stabilalor  failure  is  induced.  The 
failure  is  detected,  the  probability  is  greater  than  0.9  for  more  than  ten  sample  periods  (0.15625  seconds),  and 
the  level  1  (Al)  bank  is  brought  "on-line".  Within  the  level  I  (Al)  bank,  the  failure  is  locked  for  .9  seconds 
at  which  point  ambiguity  arises.  The  dual  failure  (A2)  filter  is  incorrectly  identified  as  the  coirect  failure  until 
4.6  seconds.  At  4.7  seconds,  the  left  stabilator  (Al)  is  properly  identified  as  the  correct  failure.  The  induction 
of  the  right  stabilator  failure  at  6.0  seconds  is  not  detected  within  the  8.0  second  simulation  run.  In  this 
scenario,  without  a  proper  and  necessary  excitation  of  the  pitch  axis,  a  failure  can  not  be  detected.  The  only 
control  surfaces  which  can  provide  this  necessary  excitation  are  the  stabilators,  both  of  which  have  failed.  After 
a  first  failure,  a  different  type  of  dither  signal  could  be  enabled  to  provide  better  performance.  A  higher 
magnitude  sinusoidal  dither  signal  may  provide  improved  response.  This  hypothesis  is  demonstrated  for  a  dual 
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stabilalor  failure  and  a  right  flaperon  followed  by  a  pitch  rate  sensor  failure.  These  figures  will  be  presented 
later  in  this  chapter.  Additional  surfaces  provide  additional  options.  Upon  the  isolation  of  a  stabilator  failure, 
the  flapcrons  could  be  reconfigured  to  provide  symmetrical  deflections.  This  augmentation  to  the  longitudinal 
dither  signal  might  be  enough  to  produce  the  necessary  level  of  excitation  for  good  detection  performance. 
Since  no  failure  detection  occurred  within  the  6.0  to  8.0  time  frame,  the  rating  system  assigns  a  "ND"  for  this 
failure  scenario. 

Figure  4.72  demonstrates  the  right  flapcron  and  rudder  failure.  The  right  flaperon  failure  is  induced  at  3.0 
seconds  and  is  detected  immediately.  The  level  1  right  flaperon  failure  (A4)  bank  is  brought  "on-line".  The 
induction  of  the  mdder  failure  at  6.0  seconds  is  not  detected  by  the  algorithm.  The  majority  of  the  probability 
remains  with  the  right  flapcron  (only)  filter.  A  small  portion  is  in  the  fully  functional  "no-failure"  filter.  A 
small  spike  occurs  in  the  AOA  sensor  failure  filter  and  a  small  spike  at  6.4  seconds  in  the  yaw  rate  sensor 
failua  filter  is  present.  This  scenario  is  assigned  an  "ND". 

Figure  4.73  demonstrates  a  rudder  and  angle  of  attack  sensor  failure.  The  mdder  failure  is  induced  at  3.0 
seconds  and  is  locked  by  3.3  seconds.  The  level  1  mdder  failure  (A5)  bank  is  brought  "on-line"  at 
approximately  3.3  seconds.  The  induction  of  the  angle  of  attack  failure  at  6.0  seconds  is  detected  and  locked 
by  6.1  seconds  in  the  mdder  and  angle  of  attack  sensor  failure  (S2)  filter.  A  single  probability  spike  occurs  at 
6.4  seconds.  After  the  spike,  the  probability  remains  in  the  mdder  and  angle  of  attack  sensor  failure  filler  untQ 
the  end  of  the  simulation.  This  scenario  is  assigned  a  "Good"  by  the  rating  system. 

Figure  4.74  presents  the  velocity  sensor  and  left  stabilator  failure.  The  velocity  sensor  failure  is  induced 
at  3.0  seconds  and  is  locked  almost  immediately.  The  level  1  velocity  sensor  failure  (SI)  bank  is  brought  "on¬ 
line"  at  approximately  3.2  seconds.  The  left  stabilator  is  induced  at  6.0  seconds  and  some  probability  spiking 
occun  in  the  "no-failure"  (FF)  filter,  the  velocity  sensor  and  left  stabilator  (Al)  filler,  the  velocity  sensor  and 
right  stabilator  (A2)  filt'’.r,  and  the  velocity  sensor  and  left  flaperon  (A3)  filter.  Some  small  spiking  occurs  in 
a  few  of  the  sensors.  Since  only  probability  spiking  occurs  in  the  velocity  sensor  and  left  stabilator  (Al)  failure 
filter,  the  rating  system  assigns  a  value  of  ’Poor"  to  this  scenario. 

Figure  4.75  illustrates  a  pitch  rate  sensor  and  left  stabilator  actuator  failure  combination.  The  pitch  rate 
sensor  failure  is  detected  and  isolated  within  0.2  seconds.  The  level  1  pitch  rate  sensor  failure  (S3)  bank  is 
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brought  "on-line"  at  approximately  3.3  seconds.  The  insertion  of  a  left  stabilator  failure  at  6.0  seconds  is 
initially  captured  by  the  pitch  rate  and  left  stabilator  failure  (Al)  filter,  lost  to  the  pitch  rate  failure  only  (S3) 
filter,  split  bebveen  the  pitch  rate  and  left  stabilator  failure  (Al)  filter  and  the  pitch  rate  and  right  stabilator 
failure  (A2)  filter,  and  finally  locked  by  the  pitch  rate  sensor  and  left  stabilator  failure  (Al>  filter  at  7.6  seconds. 
Note  that,  even  during  this  time  of  ambiguity,  the  pitch  rate  failure  and  a  stabilator  failure  were  detected  (more 
than  just  a  pitch  rate),  and  it  takes  some  finite  amount  of  time  to  resolve  which  stabilator  failed  (a  typicc' 
left/right  arribiguity).  This  ambiguity  is  acceptable  in  that  a  the  correct  "class"  of  second  failure  is  identified 
as  opposed  to  ambiguities  with  other  actuators.  While  not  optimum  by  any  criteria,  the  correct  filter  was 
identified  and  locked  1.6  seconds  after  the  second  failure.  The  rating  system  assigns  this  scenario  a  rating  of 
"Good". 

Figure  4.76  demonstrates  a  pitch  rate  sensor  and  rudder  actuator  failure.  The  probability  is  captured  by  the 
pitch  rate  »ensor  failure  filter  at  3.2  seconds  (0.2  seconds  after  failure  insertion).  The  level  1  pitch  rate  sensor 
failure  (S3)  bank  is  brought  "on-line".  The  second  failure  is  inserted  at  6.0  seconds,  after  which  the  pitch  rate 
sensor  and  rudder  actuator  (A5)  filter  begins  to  collect  probability  at  6.4  seconds  but  shares  the  probability  with 
the  pitch  rate  failure  only  (S3)  filter  until  6.9  seconds.  At  this  time,  all  of  the  probability  is  contained  within 
the  pilch  rate  sensor  and  rudder  actuator  failure  (A5)  filter.  The  subjective  rating  system  assigns  this  scenario 
a  rating  oi  "Good". 

Figure  4.77  presents  a  pitch  rate  sensor  and  roll  rate  sensor  combination  failure.  The  pitch  rate  sensor  is 
identified  as  the  correct  failure  at  3.2  seconds  (0.2  seconds  after  failure  insertion).  The  level  1  pitch  rate  sensor 
failure  (S3)  bank  is  brought  "on-line"  at  approximately  3.3  seconds.  The  pitch  rate  and  roll  rate  failure  (55) 
filter  is  identified  as  the  proper  filter  at  6.2  seconds  (0.2  seconds  after  the  second  failure  inserion).  Some  small 
probability  spiking  occurs  within  the  pitch  rate  and  right  flaperon  failure  (A4)  filler  and  the  pilch  rate  and  rudder 
failure  (A5)  filter.  As  is  the  case  with  nearly  all  of  the  double  sensor  failures,  the  detection  is  swift,  clean,  and 
correct.  The  rating  system  assigns  this  scenario  a  rating  of  "Good". 

Figure  4.78  illustrates  a  normal  acceleration  and  pitch  rate  failure.  The  normal  acceleration  failure  is 
inserted  at  3.0  seconds,  and  it  is  detected  and  locked  by  3.15  seconds.  The  level  1  normal  acceleration  failure 
(S4)  bank  is  brought  "on-line"  at  approximately  3.3  seconds.  The  pitch  rale  failure  is  inserted  at  6.0  seconds. 


The  normal  acceleration  and  pitch  rate  failure  (S3)  filter  captures  the  probability  within  0.15  seconds  and 
remains  locked,  '^'be  rating  system  assigns  this  scenario  a  rating  of  "Good".  This  failure  scenario  is  included 
to  demonstrate  additional  double  sensor  failure  characteristics. 

Figure  4.79  presents  the  data  for  a  yaw  rate  sensor  and  lateral  acceleration  sensor  dual  failure.  The  yaw 
rate  sensor  failure  is  initially  detected  at  3.3  seconds  but  not  locked  until  4.2  seconds.  This  delay  is  due  to  a 
known  phenomena  within  the  yaw  rate  residual  in  the  yaw  rate  filter.  A  bias  is  present  in  the  yaw  rate  residual. 
The  bias  is  believed  to  be  due  to  numerical  integration  problems.  The  solution  to  this  nuisance  is  to  restart  the 
filter  at  regular  intervals.  As  previously  discussed,  restarting  the  filters  will  remove  the  bias  from  the  residual 
calculations.  By  removing  the  bias,  the  yaw  residuals  will  fall  well  within  the  3o  bounds  and  will  result  in  good 
performance.  The  level  1  yaw  rate  sensor  failure  (S6)  bank  is  brought  "on-line"  at  approximately  4.3  seconds. 
The  insertion  of  the  second  failure  is  detected  immediately.  The  rating  system  assigns  this  scenario  a  rating  of 
"Good".  The  next  scenario  reverses  the  order  of  these  two  failures  to  demonstrate  differences  in  failure  detection 
characteristics. 

Figure  4.80  demonstrates  a  lateral  acceleration  sensor  and  yaw  rate  sensor  failure.  The  lateral  acceleration 
failure  is  detected  almost  immediately  after  failure  insertion  at  3.0  seconds.  The  level  1  lateral  acceleration 
failure  (S7)  bank  is  brought  "on-line"  at  approximately  3.2  seconds.  The  insertion  of  the  second  failure,  the  yaw 
rate  sensor,  is  only  partially  detected  by  the  lateral  acceleration  and  yaw  rate  sensor  failure  (S6)  filter.  The 
majority  of  the  probability  is  retained  by  the  lateral  acceleration  only  (S7)  filter.  This  scenario  is  assigned  a 
rating  of  "Poor"  by  the  subjective  rating  system.  This  scenario  produces  the  same  end  result  as  in  Figure  4.78 
yet  the  probability  traces  are  markedly  different  Restarting  the  yaw  rate  filter  may  significantly  improve  this 
scenario’s  rating. 
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4.4.2  Sinusoidal  Dither  Signals 

Figure  4.81  presents  data  for  a  dual  stabilator  failure  using  a  sinusoidal  dither.  At  3.0  seconds,  the  left 
stabilator  failure  is  induced.  The  stabilator  is  detected  and  locked  for  small  periods  of  time  from  3.2  to  6.0 
seconds.  The  level  1  left  stabilator  failure  (Al)  bank  is  brought  "on-line"  at  approximately  3.65  seconds.  The 
induction  of  a  right  stabilator  failure  at  6.0  seconds  is  indicated  by  the  probability  spiking  that  occurs  between 
the  left  stabilator  failure  only  (Al)  filter  and  the  dual  stabilator  failure  (A2)  filter.  While  this  scenario 
demonstrates  that  the  excitation  dither  signal  is  not  of  sufficient  strength  to  isolate  the  failure  positively,  it  is 
a  significant  improvement  over  Figure  4.71  in  which  proper  failure  detection  failed  to  occur.  The  subjective 
rating  system  assigns  a  rating  of  "Fair"  to  this  scenario. 

Figure  4.82  presents  a  right  flaperon  and  rudder  failure  using  a  sipt'so'dal  dither  cignal.  The  insertion  o^ 
a  right  flaperon  failure  at  3.0  seconds  is  initially  detected  by  the  right  flaperon  failure  filler  at  3.2  seconds.  The 
failure  is  not  locked  by  the  right  flaperon  failure  filter  until  4.0  seconds.  The  level  1  right  flaperon  failure  (A4) 
bank  is  brought  "on-line"  at  3.6  seconds.  Some  spiking  occurs  in  other  filters  during  the  3.0  to  4.0  time  franae. 
At  6.0  seconds,  the  rudder  failure  is  inserted.  The  majority  of  the  probability  is  shared  between  the  right 
flaperon  failure  only  (A4)  and  the  right  flaperon  and  rudder  failure  (A5)  filters.  The  dual  failure  combination 
is  detected  by  the  right  flaperon  and  rudder  failure  (A5)  filter  at  6.2  to  6.5  seconds,  lost  until  7.2  seconds,  lost 
again  at  7.5  seconds,  and  finally  locked  at  7.55  seconds.  The  signal  is  locked  through  8.0  seconds.  Comparison 
with  Figure  4.72  demonstrates  significant  differences.  Figure  4.72  was  assigned  an  "ND"  by  the  rating  system. 
Applying  the  previously  defined  criteria  to  this  scenario,  a  rating  of  "Good"  is  assigned  with  a  delay  between 
failure  insertion  and  probability  lock  of  1.5  seconds. 

Figure  4.83  presents  data  for  a  velocity  sensor  failure  and  a  left  stabilator  failure  using  a  sinusoidal  dither. 
The  velocity  sensor  failure  is  induced  at  3.0  seconds,  and  it  is  detected  and  locked  immediately.  The  level  1 
velocity  sensor  failure  (B7)  bank  is  brought  "on-line"  at  approximately  3.2  seconds.  The  insertion  of  the  second 
failure  at  6.0  seconds  demonstrates  that  the  probability  is  initially  shared  between  the  velocity  sensor  and  left 
stabilator  failure  (Al )  filter,  the  velocity  sensor  and  left  flaperon  failure  (A3)  filter,  the  velocity  sensor  and  right 
flaperon  failure  (A4)  filter,  the  velocity  sensor  and  mdder  failure  (A5)  filter,  the  velocity  sensor  failure  only  (SI) 
filter,  the  velocity  sensor  and  angle  of  attack  filter  (S2),  the  velocity  sen.sor  and  normal  acceleration  failure  (S4) 
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filter,  and  the  velocity  sensor  and  roll  rate  failure  (S5)  filter.  The  velocity  sensor  and  left  stabilator  failure  (Al) 
filter  and  the  velocity  sensor  and  left  flapcron  failure  (A3)  filter  compete  for  the  majority  of  the  probability. 
By  7.2  seconds,  the  velocity  sensor  and  left  stabilator  failure  (Al)  filter  and  the  velocity  sensor  failure  only  (SI) 
filter  fight  for  the  probability.  From  7.0  to  7.8,  the  velocity  sensor  and  left  stabilator  failure  (Al)  filter  contains 
the  majority  of  the  probability  with  only  tw  o  spikes  of  probability  showing  up  in  the  velocity  sensor  failure  only 
(SI)  filter.  At  7.8  seconds,  it  appears  that  the  probability  is  contained  within  the  velocity  sensor  and  left 
stabilator  failure  (Al)  filter.  By  the  established  rating  system,  this  scenario  is  assigned  a  "Good"  with  a  delay 
between  tailure  insertion  and  probability  lock  of  1.8  seconds.  Comparison  with  Figure  4.74  illustrates  the 
differences  for  this  dual  failure  combination  using  a  single  pulse  every  three  seconds  versus  continuous 
excitation. 

Based  upon  the  data  presented,  it  would  ssem  possible  to  provide  good  algorithm  performance  to  all  of  the 
failure  conditions  listed  in  Table  4.1  by  increasing  the  excitation  signals.  Recall  the  excitation  signals  were 
"sized"  for  single  failures,  i.e.,  assuming  that  all  actuaton  were  available  to  apply  needed  system  excitation  until 
the  first  dcclcfcd  failure.  Dual  actuator  failures  reduced  the  amount  of  e'^citation  in  many  scenarios,  resulting 
in  insufficient  excitation  for  proper  failure  identification.  Note  that  "resizing"  could  be  accomplished  for  each 
declared  first  failure;  however,  time  constraints  did  not  allow  the  investigation  of  this  hypothesis.  Also,  "resized" 
ditlier  signals  might  still  be  able  to  meet  the  estabhshed  subliminal  dither  criteria. 
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4.4.3  Residual  Monitoring 

Figures  4.84  -  4.92  demonstrate  the  usefubess  of  residual  monitoring.  The  failure  scenario  is  a  multiple 
failure  of  the  left  stabilator  and  the  velocity  sensor.  Figure  4.74.  The  left  stabilator  failure  is  induced  at  3.0 
seconds,  and  the  velocity  sensor  failure  is  induced  at  6.0  seconds.  Due  to  file  space  limitations,  the  residuals 
are  shown  only  from  4.0  to  7.0  seconds.  Three  filters  were  chosen  to  demonstrate  the  residuals’  characteristics 
in  a  multiple  failure:  the  fully  functional  filter,  the  left  stabilator  (only)  failure  filter,  and  the  left  stabilator  and 
velocity  sensor  failure  filter.  For  each  of  the  filters,  three  residuals  are  presented  that  portray  the  residuals’ 
characteristics:  the  velocity  residual,  the  pitch  rate  residual,  and  the  normal  acceleration  residual.  Other  residuals 
provide  additional  voting  in  this  case  as  well  (angle  of  attack,  yaw  rate,  and  lateral  acceleration).  To  conserve 
space,  these  residuals  are  not  presented  in  this  section.  Figures  4.84  -  4.86  present  the  residuals  for  the  fully 
functional  filter.  Figure  4.84  is  the  velocity  residual.  Figure  4.85  is  the  pitch  rate  residual,  and  Figure  4.86  is 
the  normal  acceleration  residual.  It  is  clear  that,  from  6.0  seconds  forward,  all  of  these  residuals  are  well  outside 
of  the  3 o  bounds. 

Figures  4.87  -  4.89  present  the  residuals  for  the  left  stabilator  (only)  failure  filter.  Figures  4.87  -  4.89  are 
the  velocity,  pitch  rate,  and  normal  acceleration  residuals,  respectively.  Again,  it  is  clear  that  these  residuals 
violate  the  3o  bounds  beyond  6.0  seconds.  Comparison  of  these  figures  with  Figures  4.84  -  4.86  indicate  the 
residuals  are  close,  except  for  a  few  difterences,  most  notably  in  the  pilch  rale  residual.  Figure  4.85  violates 
the  3a  bound  from  4,65  to  approximately  5.6  seconds.  Figure  4.88  contains  only  one  small  spike  that  violates 
the  3o  bounds  during  this  time  frame.  If  these  were  the  only  three  residuals  in  the  probability  computation  for 
the  filters,  one  might  deduce  that  the  filter  corresponding  to  Figures  4.87  -  4.89  would  capture  more  of  the 
probability  than  the  filter  containing  Figures  4.84  -  4.86.  This  is  exactly  the  case.  The  left  stabilator  failure 
(only)  filter  contains  a  large  portion  of  the  probability  until  6.0  seconds.  A  direct  relationship  exists  between 
the  residuals  and  the  probabilities  as  shown  mathematically  in  Chapters  2  and  3. 

Figures  4.90  -  4.92  present  the  velocity,  pitch  rate,  and  normal  acceleration  residuals,  respectively,  for  the 
left  stabilator  and  velocity  sensor  failure  filter.  From  Figure  4.90,  it  is  obvious  that  this  filter  has  the  incorrect 
hypothesis  until  6.0  seconds,  and  the  correct  hypothesis  thereafter.  The  residual  moves  back  withm  the  3o 
bounds  at  6.0  seconds.  Figure  4.91  demonstrates  that  the  pitch  rate  residual  violates  the  3o  bounds  at  4.7 
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seconds  and  continues  to  do  so  until  6.0  seconds.  At  6.0  seconds,  the  residual  moves  within  the  3o  bounds  and 
remains  within  the  bounds.  This  is  another  clear  signal  that  this  filter’s  hypothesis  is  correct  Figure  4.92 
provides  additional  confirmation  of  the  correct  hypothesis  from  6  seconds  and  beyond.  The  normal  acceleration 
residual  clearly  violates  the  3o  bounds  and  moves  back  within  the  bounds  at  6.5  seconds.  It  is  difficult  to 
determine  whether  the  residual  will  violate  the  bounds  after  7.0  seconds,  but  based  upon  the  probabiUty  trace, 
it  is  doubtful. 

This  section  was  intended  to  provide  the  reader  with  insight  into  the  relationship  between  residuals  and 
probabilities  and  to  demonstrate  the  usefulness  of  residual  monitoring.  Filters  based  on  an  incorrect  hypothesis 
can  provide  a  clear  "poor  hypothesis"  vote  through  residual  monitoring,  while  filters  whose  residuals  are  within 
the  3o  bounds  can  provide  a  clear  "correct  hypothesis"  vote.  All  of  the  filters  together  provide  a  complete 
picture  of  the  correct  failure.  This  technique  is  very  useful  for  sinusoidal  dithering,  but  has  not  been  as  useful 
for  single  dither  pulses.  Sinusoidal  dithering  tends  to  differentiate  clearly  between  good  and  poor  filter 
hypotheses.  Residuals  generated  by  the  application  of  dither  pulses  don’t  provide  sufficient  residual  signal 
characteristics  from  which  to  draw  conclusions. 

Practical  implementation  would  warrant  the  use  of  a  mixture  of  dither  signals  to  exploit  the  "good" 
characteristics  of  each  dither  w  ave  form.  Several  versions  of  each  wave  form  could  be  developed.  Within  each 
wave  form,  the  user  could  tune  the  dither  signal  to  ’look"  for  a  specific  failure.  An  algorithm  designed  to 
identify  failures  could  implement  each  of  the  specifically  tuned  forms  to  enhance  its  abiUty  to  identify  the 
failure(s).  Single  dither  pulses  are  useful  in  providing  clean  strong  pulses  which  have  good  identification 
characteristics.  However,  Ibe  associated  filter  residuals  are  of  very  little  use  in  resolving  ambiguities.  Sine 
waves  provide  good  identification  characteristics  but  may  not  be  the  best  wave  form  in  every  flight 
reguncyscenario.  However,  residuals  generated  by  a  sine  wave  dither  form  have  demonstrated  their  usefulness 
in  resolv  ing  ambiguities.  A  fault  detection  algorithm  should  combine  these  forms  to  produce  a  synergistic  effect, 
good  failure  detection,  isolation,  and  the  ability  to  resolve  any  ambiguities  that  may  arise.  The  use  of  subliminal 
dither  signals  provide  failure  detection  without  interfering  with  the  handhng  qualities  of  the  aircraft  This  is 
highly  desirable  when  a  subliminal  dither  signal  can  provide  good  performance.  For  situations  in  which  the 
pcrformaiKe  is  reduced,  the  pilot  could  enable  (at  his  discretion)  a  nonsubliminal  signal  to  identify  the  failure. 
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4.4.4  Increased  Dither  Signal  Strength 

Recall  from  Table  4.1,  the  right  flaperon  and  pitch  rate  sensor  failure  performance  rating  ("Poor'').  By 
increasing  the  strcngtii  of  the  dither  signal,  the  performance  can  be  significantly  improved.  Figure  4.93 
demonstrates  the  system  performance  for  a  right  flaperon  failure  inserted  at  3.0  seconds  followed  by  a  pilch  rate 
sensor  failure  induced  at  6.0  seconds.  The  level  1  right  flaperon  bank  was  brought  "on-line"  at  approximately 
3.25  seconds.  Based  upon  Figure  4.93,  the  subjective  rating  system  would  assign  this  result  as  "Fair".  Figure 
4.94  allows  the  reader  to  view  the  effects  of  the  dither  signal  on  the  state  variables.  At  3.0  seconds,  a  sinusoid 
is  superimposed  on  the  dither  signal.  This  provides  increased  system  excitation,  resulting  in  improved 
perfomiaiKe;  however,  the  performance  is  still  not  "Good"  Increasing  the  dither  signal  a  second  time  results 
in  "Good"  system  pcrfomiance  as  demonstrated  by  Figure  4.95.  Both  failures  in  Figure  4.95  are  identified  and 
locked  immediately.  Figure  4.96  displays  the  effect  of  the  increased  dither  signal  on  the  state  variables.  It  is 
clear  that  this  dither  signal  is  not  subliminal;  note  the  magnitude  here.  The  results  from  this  section  are 
included  in  Table  4.2.  The  purpose  of  this  section  has  been  to  demonstrate  that  an  increased  strength  dither 
signal  could  increase  the  subjective  rating  from  "ND"  or  'Poor*'  to  "Good".  This  increase  in  performance  is 
directly  related  to  the  type  and  strength  of  the  dither  signal. 
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4.4.5  Simultaneous  Dual  Failures 


Simultaneous  failures  were  developed  for  failures  separated  by  3.0,  0.5,  and  finally  0.1  seconds.  For  this 
thesis,  failures  .separated  by  0.1  seconds  are  defined  as  simultaneous.  Four  failure  scenarios  were  investigated; 
a  right  fiaperon  failure  and  left  stabilator  failure,  a  noimal  acceleration  sensor  failure  and  pitch  rate  sensor 
failure,  a  roll  rate  sensor  failure  followed  by  a  lateral  acceleration  sensor  failure,  and  a  roll  rate  sensor  failure 
followed  by  a  redder  failure.  Figure  4.97  presents  data  for  a  right  fiaperon  failure  followed  3.0  seconds  later 
by  a  left  stabilator  failure.  The  dither  signal  implemented  is  the  sinusoidal  dither  signal  used  in  the  previous 
section.  At  3.6  seconds,  the  level  1  right  fiaperon  failure  (A4)  bank  is  brought  "on-line".  The  second  failure 
is  induced  at  6.0  seconds.  The  left  stabilator  failure  is  detected  and  locked  within  0.2  seconds.  This  dual  failure 
was  assigned  a  rating  of  "Good"  in  Table  4.2.  Figure  4.98  presents  the  data  for  the  same  dual  failure  with  the 
failures  separated  by  0.5  seconds  instead  of  3.0  seconds.  The  right  fiaperon  is  identified  and  the  appropriate 
level  1  bank  is  brought  "on-line".  The  left  stabilator  failure  is  identified  within  0.2  seconds.  This  dual  failure 
is  assigned  a  rating  of  "Good".  Figure  4.99  presents  the  simultaneous  failure  of  the  right  fiaperon  and  the  left 
stabilator.  In  this  dual  failure,  the  left  stabilator  is  identified  within  0.25  seconds.  The  level  1  left  stabilator 
failure  (Al)  bank  is  brought  "on-line".  Both  flaperons experience  some  probability  spiking  during  the  remainder 
of  the  simulation  run.  This  dual  failure  scenario  is  assigned  a  rating  of  "Poor"  by  the  subjective  rating  system. 

Figure  4.100  portrays  a  normal  acceleration  sensor  failure  followed  3.0  seconds  later  by  a  pitch  rate  sensor 
failure.  The  normal  acceleration  sensor  failure  is  inserted  at  3.0  seconds  and  iefentified  immediately.  The  level 
1  normal  acceleration  sensor  failure  (S4)  bank  is  brought  "on-line".  The  pitch  rate  failure  is  induced  at  6.0 
seconds  and  identified  at  6.5  seconds.  The  subjective  rating  system  assigned  this  failure  scenario  a  rating  of 
’Good".  Figure  4.101  presents  the  same  failure  scenario  with  the  failures  separated  by  0.5  seconds  instead  of 
3.0  seconds.  The  first  failure  is  identified  within  0.1  seconds,  and  the  appropriate  bank  is  brought  "on-line". 
The  second  failure  is  identified  1.0  seconds  after  the  insertion  of  the  second  failure  at  3.5  seconds.  This  failure 
scenario  is  assigned  a  rating  of  "Good".  Figure  4 102  demonstrates  the  same  failure  scenario  with  the  failures 
induced  simultaneously.  Since  the  normal  acceleration  sensor  failure  has  a  much  smaller  identification  delay, 
the  normal  accelerabon  sensor  failure  is  identified  first,  and  the  appropriate  bank  is  brought  "on-line".  The 
normal  acceleration  and  pitrh  rafo  ronlairs  all  of  tlie  probability  at  4.4  seconds.  The  second  failure 
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requires  1.4  seconds  to  be  properly  identified.  This  failure  scenario  is  assigned  a  rating  of  "Good",  since  both 
failures  were  identified  and  locked  for  the  duration  of  the  simulation  nia 

Figure  4.103  presents  a  roll  rate  sensor  failure  followed  3.0  seconds  later  by  a  lateral  acceleration  sensor 
failure.  The  roll  rate  sensor  failure  is  induced  at  3.0  seconds  and  identified  almost  immediately.  The  level  1 
roll  rate  sensor  failure  (SS)  bank  is  brought  "on-line".  The  lateral  acceleration  sensor  failure  is  induced  at  6.0 
seconds  and  identified  by  the  roll  rate  sensor  failure  and  lateral  acceleration  sensor  failure  filter  almost 
immediately.  This  failure  scenario  is  assigned  a  rating  of  "Good".  Figure  4.104  presents  the  dual  failure  data 
with  a  0.5  second  separation  between  failures.  Again,  the  results  are  good.  The  first  failure  is  identified 
immediately  after  failure  insertion  at  3.0  seconds,  and  the  appropriate  level  1  bank  is  brought  "on-line".  The 
second  failure  is  inserted  at  3.5  seconds  and  identified  by  the  roll  rate  sensor  failure  and  lateral  acceleration 
sensor  failure  filter  (S7)  at  3.7  seconds.  This  failure  scenario  is  assigned  a  rating  of  "Good".  Figure  4.105 
presents  the  simultaneous  failure  scenario.  Although  not  obvious  from  the  figure,  the  roll  rate  sensor  is 
identified  almost  immediately  after  failure  insertion  and  the  level  1  roll  rate  sensor  failure  (S5)  bank  is  brought 
"on-line".  The  second  failure  is  identified  shortly  thereafter  by  the  roll  rate  sensor  failure  and  lateral  acceleration 
sensor  failure  (S7)  filter.  This  scenario  is  assigned  a  rating  of  "Good". 

Figure  4.106  presents  the  roll  rate  sensor  failure  followed  3.0  seconds  later  by  a  rudder  failure.  As  is  often 
the  case  with  sensor  failures,  the  roll  rate  sensor  failure  is  identified  almost  immediately  after  failure  insertion 
at  3.0  seconds.  The  level  1  roll  rate  sensor  failure  (S5)  bank  is  brought  "on-line".  The  rudder  failure  is  not 
identified  until  7.2  seconds  (1.2  seconds  after  failure  insertion).  The  roll  rate  sensor  failure  and  rudder  failure 
(A5)  filter  holds  the  probability  from  7.2  seconds  until  the  end  of  the  simulation  run.  This  scenario  is  assigned 
a  rating  of  ’Good".  Figure  4.107  presents  the  same  failure  scenario  with  the  failures  separated  by  0.5  seconds 
instead  of  3.0  seconds.  The  first  failure  is  identified  immediately  after  insertion  and  the  proper  bank  is  brought 
"on-line".  The  inseruou  of  ihr  pjdder  failure  at  3.5  seconds  is  not  detected  until  5.15  seconds.  Some  ambiguity 
with  the  roll  rate  sensor  failure  and  left  flaperon  failure  (A3)  filter  and  the  roll  late  sensor  and  right  stabilator 
failure  (A2)  filter  is  evident  from  the  figure  at  4.9  to  5.1  seconds.  At  5.15  seconds,  the  roll  rate  sensor  failure 
and  mdder  failure  (A5)  filter  holds  most  of  the  probabiiny,  uloI  apptoxunaiuy  6.4  secoous,  ai  winch  pouit  more 
ambiguity  arises.  The  roll  rate  sensor  failure  and  angle  of  attack  sensor  failure  (S2)  filter,  the  roll  rate  sensor 
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failure  only  (S5)  filter,  and  the  roll  rate  sensor  failure  and  yaw  rate  sensor  failure  (S6)  filter  all  contain  some 
portion  of  the  probability  from  6.2  seconds  to  7.2  seconds.  At  7.2  seconds,  the  roll  rate  sensor  failure  and 
rudder  failure  (A5)  filter  contains  all  of  the  probability  until  the  end  of  the  simulation  run.  This  scenario  is 
assigned  a  rating  of  "Good".  Figure  4.108  presents  the  simultaneous  failure  case  for  the  roll  rate  sensor  failure 
and  the  rudder  failure.  The  roll  rate  sensor  failure  is  identified  almost  immediately  after  the  insertion  of  the 
failure  at  3.0  seconds.  The  level  1  roll  rate  sensor  failure  (S5)  bank  is  brought  "on-line".  The  roll  rate  sensor 
failure  and  rudder  failure  (A5)  filter  contains  some  probability  spikes  from  3.6  to  4.5  seconds.  A  small  spike 
occurs  in  the  roll  rate  .sensor  failure  and  lateral  acceleration  sensor  failure  (S7)  filter  at  3.7  seconds.  A  small 
amount  of  the  probability  can  be  found  in  the  roll  rate  sensor  failure  and  yaw  rate  sensor  failure  (S6)  filter  from 
3.5  to  5.0  seconds.  The  roll  rate  sensor  failure  and  mdder  sensor  failure  (A5)  filter  contains  the  majority  of  the 
probability  from  5.1  seconds  until  the  end  of  the  simulation.  This  simultaneous  failure  is  assigned  a  rating  of 
■Good". 
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Summary 

Chapter  4  has  provided  an  overview  of  the  results  of  this  investigation.  The  intent  of  this  chapter  was  to 
present  the  results  of  the  research  effort  demonstrate  its  usefulness,  provide  insight  into  failure  detection 
phenomena,  and  explain  trends  in  the  data.  Chapter  5  will  present  overall  conclusions  and  recommendations 
for  future  studies  and  implementation. 

This  chapter  began  with  an  explanation  of  the  symbology  used  in  the  presentation  of  the  results  and  a 
general  discussion  of  hard,  soft,  and  multiple  failures.  Different  types  of  excitation  commands  were  presented, 
including:  purposeful  commands,  subliminal  dithering,  and  nonsubliminaJ  dithering.  A  discussion  of  pulsed 
dither  signals  and  sinusoidal  dither  signals  was  included.  A  section  discussing  residual  monitoring  and  its  value 
as  an  additional  voter  was  provided.  Multiple  failures  were  summarized  in  tabular  form.  A  subset  of  the  total 
dual  failure  matrix  was  presented  and  discussed  and  related  to  residual  monitoring. 
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V.  CONCLUSIONS  AND  RECOMMENDATIONS 


5.1  General 

This  chapter  begins  by  addressing  each  question  posed  in  Giapter  1 .  Relevant  results  from  Chapter  4  are 
included  as  supporting  evidence  where  appropriate.  A  review  of  results  presented  within  Chapter  4  is  included 
for  completeness.  Trends  are  identified,  as  are  areas  of  concern  requiring  additional  research.  The  presentation 
of  any  subjective  opinions  will  be  labeled  as  such. 

5.2  Response  to  Chapter  1 

The  first  array  of  questions  presented  in  Chapter  1  were  from  Section  1.62.1  Probability  Convergence. 

Do  the  elemental  probabilities  pj^  converge  to  a  solution?  Is  the  solution  the  correct  one? 

For  dual  failures,  is  the  convergence  path-dependent  (Le.,  is  the  order  of  failure  occurrence 

important  for  convergence  properties)? 

Are  the  convergence  rates  quick  enough  to  prevent  large  transients  or  loss  of  control? 

Are  the  convergence  rates  dependent  on  the  failure  type? 

All  of  the  data  produced  in  this  thesis  effort  indicates  that  the  elemental  probabilities  converge  to  a  solution. 
While  some  failures  have  been  undetected,  due  to  lack  of  sufficient  residual  excitation,  only  one  misidentificatioo 
was  discovered  out  of  nearly  2000  tests  conducted.  This  case  was  mentioned  in  Chapter  4:  the  appUcation  of 
a  rudder  kick  and  hold  when  attempting  to  identify  a  rudder  failure.  In  that  scenario,  the  algorithm  misidentifled 
the  yaw  rate  filter  with  a  probability  of  0.988  (maximum).  The  result  was  not  surprising  since  a  rudder  failure 
and  a  yaw  rate  failure  appeal  similar  in  the  state  variables.  Since  the  rudder  failed,  the  lack  of  a  rudder  input 
produced  very  little  yaw  rate,  resulting  in  a  situation  in  which  the  algorithm  could  not  distinguish  between  a 
rudder  failure  of  a  yaw  rate  sensor  failure.  The  rudder  kick  and  hold  provides  a  large  yaw  rate  until  the 
application  of  the  rudder  failure  in  which  no  yaw  rate  is  produced.  In  this  scenario,  yaw  rate  could  be  generated 
by  applying  differential  stabilator  and  flaperon  inputs  to  assist  in  resolving  the  ambiguity. 

For  dual  failures,  some  differences  exist  between  cases  in  which  the  orders  of  the  failures  are  reversed.  This 
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is  the  case  for  dual  failures  involving  an  actuator  and  a  sensor.  If  the  sensor  failure  occurs  first,  both  failures 
are  identified  promptly  and  correctly.  However,  if  the  actuator  failure  occurs  first,  a  larger  excitation  signal  is 
required  to  produce  good  identification  performance.  Table  4.1  demonstrates  this  phenomena.  The  gray 
regions,  indicating  substandard  performance,  are  primarily  located  within  the  actuator  first  failure  region.  While 
many  of  the  failure  ratings  within  this  region  were  shown  to  be  "good"  by  increasing  the  signal  excitation  level 
(strength),  an  increased  signal  strength  was  unnecessary  for  the  sensor-first  failure  region.  Also  of  interest,  the 
yaw  rate  and  lateral  acceleration  dual  sensor  failure  demonstrated  differences  based  upon  the  order  of  the 
failures.  While  it  is  believed  this  phenomena  is  explained  by  a  biased  yaw  rate  residual,  a  difference  does  exist. 

For  the  VISTA  F-16,  no  failures  resulted  in  loss  of  control  (LfXT).  This  is  dne  to  several  factors.  It  is  clear 
the  F- 16  was  designed  to  be  fail-safe  for  single  failures  (probably  except  for  hard-over  flight  critical  surfaces). 
In  this  research  effort,  hard  failures  were  modelled  by  failing  the  surface  trailing  edge  to  zero.  This  failure 
scenario  is  well  within  the  design  limitations  imposed  by  fail-safe  failure  constraints.  For  failed  sensors,  the 
flight  control  system  used  filter  estimates  in  place  of  the  lost  sensor  inputs.  In  this  implementation,  the  flight 
control  system  never  completely  lost  a  sensor  input,  even  if  the  quality  of  the  input  was  degraded.  By  only 
experiencing  a  slight  degradation  in  a  sensor  signal’s  quality,  the  flight  control  system  never  completely  lost  a 
sensor  signal  and  its  corresponding  feedback  path  (the  loss  of  a  critical  feedback  path  could  produce  severe 
consequences,  including  loss  of  control).  A  dual  stabilator  failure  may  result  in  LOC,  but  not  w  ithin  2.0  seconds 
in  a  benign  flight  condition.  (The  second  failure  was  typically  introduced  at  6.0  seconds,  whereas  the  simulation 
was  not  run  beyond  8.0  seconds.). 

Convergence  rates  are  dependent  on  the  failure  type.  Actuator  failures  may  be  detected  immediately,  as  in 
the  case  of  purposeful  commands,  or  they  may  be  detected  at  a  much  slower  rale.  Sensor  failures  almost  always 
converge  very  quickly  (within  0.1  seconds).  Some  sensor  failures  are  delayed  by  a  second  or  two,  but  the 
convergence  rate  properties  are  the  same  (very  quick)  once  identification  is  initiated.  An  exception  to  this  rule 
exists.  Often,  the  yaw  rate  filler  demonstrates  slow  convergence  properties.  A  bias  exists  within  this  filter,  and 
the  convergence  is  directly  related  to  the  dissipation  of  the  bias.  A  recurring  restart  on  the  yaw  rale  filter  would 
probably  eliminate  this  problem. 
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Fronj  Section  1.6  Residual  Monitoring: 


Are  there  additional  voting  techniques  which  may  enhance  the  algorithm’s  performance? 

Can  additional  voting  (beyond  the  UjvfM/tC  Probability  calculations)  improve  the 
performance  of  the  algorithm?  Is  it  useful  to  monitor  the  scalar  components  of 
the  residual  vector,  rather  than  the  entire  residual  vector  as  done  by  the  MMAE/MMAC 
algorithm  itself? 

Are  there  situations  in  which  residual  monitoring  breaks  down? 

In  what  situations  does  "Beta  Dominance"  become  important  and  what  are  the 
viable  solutions  to  this  problem? 

Residual  monitoring  has  demonstrated  its  usefulness  in  resolving  ambiguities.  Residual  monitoring  was 
extremely  effective  using  a  sinusoidal  dither  signal.  For  this  scenario,  the  technique  clearly  demonstrated  failure 
indications  in  the  velocity,  angle  of  attack,  normal  acceleration,  and  lateral  acceleration  single  scalar  residuals. 
By  developing  a  "whiteness"  check,  an  algorithm  could  count  the  number  of  zero  crossings  during  a  time  interval 
and  provide  a  vote  as  to  whether  tlie  hypothesis  within  a  specific  elemental  filter  was  "correct"  or  "incorrect". 
A  "correct"  filter’s  residuals  would  have  many  zero  crossings  and  look  essentially  like  "white"  noise.  An 
incorrect  filter  w  ould  demonstrate  a  significant  reduction  in  the  residual  zero  crossings  and  might  nearly  match 
the  frequency  of  the  dither  signal  in  at  least  some  of  the  single  scalar  residuals  for  that  filter.  Residual 
monitoring  has  its  limitations.  It  is  not  as  useful  for  pulse  dither  signals  in  this  application  due  to  the  short 
duration  of  the  pulses  and  the  limited  magnitude  of  the  pulse  signal  strengths  imposed  by  the  subliminal  dither 
signal  requiremeoL  Monitoring  is  useful  for  continuous  sinusoidal  signals  and  for  larger  amplitude  and  duration 
purposeful  commands.  "Beta  Dominance"  was  demonstrated  by  Stevens  [11,12].  Stevens'  results  indicated  that, 
by  stripping  off  the  leading  coefficient  in  the  numerator  density  function  (Eq.  (2.12)),  improved  performance 
could  be  obtained.  This  thesis  effort  assumed  Stevens'  results  were  correct  and  implemented  his 
recommendation.  The  results  from  this  thesis  provide  indirect  proof  of  that  assumption. 
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From  Section  1.6.2.3  Hleranhical  Modeling: 


Will  hierarchical  modeling  provide  good  multiple  failure  performance  for  the  current  application? 

In  the  event  of  simultaneous  dual  failures,  will  the  algorithm’s  performance  be  path-dependent? 

The  results  from  Chapter  4  indicate  good  overall  performance  for  multiple  failures.  The  hierarchical 
modeling  approach  is  sound  and  implementable.  One  improvement  to  the  hierarchical  structure  should  be  added. 
When  using  a  sinusoidal  dither,  a  probability  spike  can  send  the  algorithm  to  the  incorrect  Filter  bank.  Once 
within  the  bank,  the  only  route  back  to  the  level  0  (single  failure)  bank  is  through  the  no-failure  filter.  By 
waiting  for  the  probability  to  converge  to  the  no-failure  filler  within  the  incorrect  bank  (which  may  never 
happen),  the  overall  performance  will  be  degraded.  The  solution  to  an  incorrect  bank  switch,  usually  caused 
by  probability  spiking,  is  to  include  the  most  likely  single  failure  filter  within  the  filters  of  the  incorrectly 
idenbfied  bank.  This  modification  will  allow  an  alternate  route  out  of  an  incorrect  bank  and  enhance 
performance  for  spiking  probability.  As  an  example,  assume  a  left  stabilator  failure  is  modeled.  After  the 
insertion  of  the  failure,  a  probability  spike  can  occur  in  the  right  stabilator  filter.  The  right  stabilator  failure 
bank  (level  1)  will  be  identified  and  brought  "on-line".  The  probability  may  well  settle  into  the  dual  stabilator 
failure  filter  because  that  Filter  has  a  hypothesis  closer  to  a  left  stabilator  failure  than  any  other  filter  within  the 
right  stabilator  failure  bank  (incidentally,  this  is  an  actual  case  result).  After  the  probability  settles  into  the  dual 
stabilator  filter,  add  the  left  stabilator  failure  (only)  Filter.  If  the  probability  converges  to  this  Filter  for  a  period 
of  time,  assume  you  misidentified  the  First  failure  and  transfer  back  into  the  level  0  bank  (or  transfer  to  the  left 
stabilator  failure  level  1  bank  directly)  .  The  algorithm  will  transfer  into  the  left  stabilator  failure  bank  (level 
1)  and  performance  is  significantly  enhanced. 

For  simultaneous  failures,  there  is  some  evidence  to  suggest  that  the  algorithm’s  performance  is  path- 
dependent  This  is  particularly  true  for  actuator  and  sensor  failure  combinations.  From  Table  4.1,  the  majority 
of  identification  difficulties  were  the  result  of  inducing  a  hard  actuator  failure  as  the  First  failure.  In  cases  where 
the  sensor  failures  were  induced  prior  to  the  actuator  failures,  the  results  were  very  good  with  very  few  ratings 
below  "Good".  While  these  performance  differences  have  been  attributed  to  the  loss  of  residual  excitation  due 
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to  the  loss  of  an  actuator,  this  characteristic  should  be  listed  as  part  of  the  path  dependence  results. 
Additionally,  for  sensor  failures,  the  probability  convergence  rate  of  a  particular  sensor  failure  will  detemune 
which  path  the  algorithm  will  follow  to  the  double  failure  filter.  If  sensor  A  has  a  faster  convergence  rate  than 
sensor  B,  the  algorithm  will  bring  the  bank  corresponding  to  sensor  A  "on-line"  and  then  identify  the  second 
failure  within  that  bank. 

From  Section  /.d.2.5  "Cross  Axis  Coupling": 

Are  there  any  misidentifications  of  failures  due  to  the  cross~axis  coupling  phenomena? 

Can  additional  voters  be  used  to  Improve  the  algorithm’s  performance? 

Are  filters  specifically  designed  to  address  a  failure  that  may  effect  states  in  both 

axes  ("cross  coupling"  filters)  necessary? 

Can  the  algorithm  properly  identify  multiple  failures  in  different  axes? 

The  results  didn't  demonstrate  any  cross-axis  coupling  issues.  One  might  speculate  that,  as  the  number  of 
failure  levels  increase  (as  to  allow  for  3  failures),  the  level  of  ambiguity  increases,  and  coupling  phenomena  may 
occur.  The  addition  of  a  nonlinear  aerodynamic  data  base  may  introduce  coupling  phenomena.  The  argument 
against  that  premise  is  that  the  failure  detection  is  of  such  short  duration  (a  few  seconds  at  most),  any  reasonable 
aerodynamic  model  could  be  considered  linear  over  that  time  period  (provided  the  inputs  driving  the  model  are 
not  too  large). 

The  only  additional  voter  used  within  this  study  was  residual  monitoring.  A  "whiteness"  check  was 
introduced  to  improve  monitoring  effectiveness  but  no  other  new  useful  voting  technique  became  apparent  during 
the  evaluation  process.  A  commonly  used  (versus  new)  technique  of  counting  the  violations  of  the  3o  bounds 
by  the  individual  scalar  residual  magnitudes  was  still  very  useful.  The  addition  of  specially  designed  filters  for 
"cross  axes  coupling"  was  not  warranted  in  this  effort 

The  algorithm  has  proven  itself  to  be  robust  accurate,  and  reasonably  quick.  One  misidentification  has 
occurred.  Some  "No  Detections"  occurred,  but  every  class  of  "No  Detection"  or  Toor"  detection  was  addressed 
and  shown  to  be  correctable  by  using  larger  excitation  signals.  The  dual  stabilator  failure  will  be  the  most 
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difTicult  to  detect  since  there  are  no  surfaces  available  to  provide  large  state  excitations  in  the  pitch  axis,  unless 
one  is  allowed  to  actuate  flapcrons  in  tandem  rather  than  only  differentially.  A  number  of  mixed-axis  failures 
arc  iiK'luded  in  Table  4.1  w  ith  overall  good  results.  Table  4.2  is  an  update  of  Table  4.1  created  to  demonstrate 
the  perfomiancc  inpact  of  dither  signals  specifically  designed  to  address  four  failure  scenarios  rated  "ND"  or 
■Poor". 

5J  Conclusions  and  Trends 

In  general,  the  pcrfomiaiKe  of  the  MMAE  algorithm  in  this  applicaUon  can  be  charactcri/cd  as  good.  This 
is  tme  for  single  and  multiple  hard  failures.  The  results  are  good  for  all  single  hard  failures  of  actuators  and 
sensors  using  a  pulse  train  dither  signal.  Also,  single  hard  failure  results  for  purposeful  commands  are  good. 
Three  pur{X)seful  commands  were  evaluated:  a  roll  command,  a  pilch  and  roll  command,  and  a  rudder  kick  and 
hold.  One  misidentification  occurred  for  the  rudder  kick  and  hold  command.  For  a  rudder  failure,  a  yaw  rate 
sensor  failure  was  identified  as  the  "correct"  failure  (sec  Section  5.1.1).  This  is  the  only  misidcnUfication 
discovered  within  this  research  effort.  The  results  obtained  by  using  sinusoidal  dither  signals  arc  also  good. 
The  use  of  a  sinusoid  dither  provides  constant  failure  protection  because  of  the  continuous  nature  of  the  signal. 
Residual  monitoring,  using  a  sinusoidal  dither  signal,  provides  clear  indications  of  failures  through  the 
"whiteness",  frequency,  and  magnitude  (in  relation  to  the  3o  bounds)  of  the  residual. 

Single  soft  actuator  failures  can  be  detected  in  level  flight  when  the  actuator  effectiveness  is  between  50% 
and  75%  of  full  authority.  In  many  cases  the  two  "bounding"  filters  (i.e.,  the  fully  functional  aircraft  filter  and 
the  corresponding  hard  failure  filler)  share  the  probability,  as  the  theory  predicts.  The  performaiKe  can  be 
characterised  as  fair  to  good.  For  the  single  soft  sensor  failures  (modeled  as  lo  or  3.16o-increases  in  sensor 
noise),  the  results  arc  poor.  No  scenarios  received  a  good  rating  for  the  soft  sensor  failure  scenarios.  Many  of 
the  "correct"  filters  exhibited  a  spiking  phenomena  during  the  simulation.  This  characteristic  could  be  used  to 
identify  increased  sensor  noise  failures  in  some  cases.  Although  the  soft  sensor  failure  performance  is  poor, 
the  algorithm  is  much  more  sensitive  lo  sensor  biases.  Two  biases  cases  were  run  for  the  roll  and  yaw  rate 
sensor  filters  with  good  results  (Section  4.2.4.2). 

Overall,  the  multiple  hard  failure  scenarios  demonstrated  good  results  (Table  4.2).  For  a  dither  signal. 
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designed  for  single  failure  identification,  the  order  and  type  of  f.ulures  affect  failure  performance.  If  the  first 
failure  is  an  actuator,  the  reduction  in  the  excitation  signal  affects  the  second  failure  identification.  The  solution 
to  improve  perfomiance  is  to  increase  the  dither  signal  magnitude  after  the  first  failure.  In  general,  for 
simultaneous  failures,  uic  pcrfomiaiKe  can  be  rated  as  good.  Overall,  the  multiple  hard  failure  performance  can 
be  rated  as  good.  Some  notable  exceptions  exist  within  the  multiple  failure  section.  Dual  stabilator  failures  are 
difficult  to  detect  and  isolate  properly.  The  left  stabilator  failure  and  pitch  rate  sensor  failure  combination  has 
proven  difficult  to  delect  and  isolate.  This  may  also  be  tme  of  the  right  flaperon  and  roll  rate  sensor  failure 
combination  and  the  rudder  and  yaw  rate  sensor  failure  combination.  Other  failures  appear  to  require  a  stronger 
amplitude  signal  to  provide  good  results. 

For  partial  or  "soft"  actuator  failures,  the  detection  threshold  is  usually  between  50  aiKi  75  percent  failed 
on  any  individual  surface,  A  50  percent  failed  left  stabilator  is  detected  but  not  isolated  (locked),  while  a  75 
percent  failed  left  stabilator  is  detected  and  isolated.  This  failure  test  occurred  in  a  benign  fiight  condition 
(straight  and  level).  An  argunKiit  could  be  made  that  these  thresholds  would  be  improved  in  maneuvering  flight, 
since  the  aircraft  system  would  experience  greater  excitation.  However,  the  criticality  of  these  thresholds  in 
straight-and  levcl  flight  appears  to  be  a  moot  issue.  In  straight-and-lcvel  flight,  the  probability  for  a  loss  of 
control  situation  is  small. 

In  general,  the  sensor  noise  failures,  modeled  by  increasing  the  sensor  noise  by  lo  and  3.16c,  did  not 
provide  encouraging  results,  lu  .jme  cases,  the  sensor  failures  arc  evident  by  the  increased  probability  spiking 
in  the  appropriate  filter.  However,  the  isolation  of  a  sensor  failure  (defined  in  the  soft  sensor  failure  context, 
as  the  apjiropriate  sharing  of  the  probability  by  the  two  ’proper"  filters)  rarely,  if  ever,  occurs.  Often  the 
probability  is  distributed  among  many  elemental  filters  besides  the  two  "proper"  fillers.  An  argument  could  be 
made  that  modeling  a  sensor  with  increased  noise  may  not  be  appropriate  as  an  important  failure  mode  in  most 
scenarios.  In  an  air  data  or  inertial  sensor  environment,  a  "  .nsor  bias  may  be  a  more  realistic  manifestation  of 
a  soft  failure,  rather  than  increased  noise.  Preliminary  investigations  of  two  sensor  bias  failures  v*ere  conducted 
(roll  and  yaw  rate  sensor  biases).  The  results  indicate  the  algorithm  is  much  more  sensitive  to  sensor  biases  than 
increased  sensor  noise,  at  least  up  to  the  3.16o-increascd  sensor  noise  level  tested.  While  the  increased  sensor 
noise  seems  large,  the  aircraft  didn't  experience  any  loss  of  control  or  uncommanded  transients  during  the 


202 


simulation.  Again,  the  flight  criticality  of  this  failure  would  suggest  the  lack  of  failure  identification  or  detection 
is  a  moot  issue.  It  would  be  interesting  to  investigate  the  level  of  noise  required  to  disrupt  controlled  flight  and 
correlate  that  level  with  the  sensor  thresholds  for  increased  sensor  nois,  failure  detecLon  and  isolation.  One 
might  simnise,  based  upon  the  available  data  (the  probability  spiking  at  the  relatively  low  levels  of  incrca.sed 
sensor  noise),  that  the  thresholds  w  ould  occur  prior  to  loss  of  control.  This  conjecture  remains  to  be  addressed. 

Residual  n'.on’tonng  provides  additional  voting  to  resolve  ambiguities.  Re.-idual  monitoring  is  especially 
helpful  when  a  sinusoidal  dither  signal  is  applied.  Single  scalar  residuals  have  demonstrated  clear  indications 
of  failures.  A  correct  hypothesis  is  reflected  by  the  residual  falling  between  the  3o  bounds  and  appearing 
"white"  (uncoirelated,  with  a  large  number  of  zero  crossings,  perhaps  after  any  residual  bi^s  is  estimated  and 
cotinx;nsatcd).  An  incorrect  hypothesis  within  the  filter  is  reflected  by  a  (possibly)  biased  residual  violating  the 
3o  bounds  and  possessing  a  frequency  nearly  matching  that  of  the  sinusoidal  dither  (also  the  number  of  zero 
crossings  is  greatly  reduced).  These  indications  could  be  implemented  in  an  algorithm  that  counts  the  zero 
crossings  to  indicate  "whiteness"  and  thereby  the  "correctness"  of  a  hypothesis  during  situations  where 
ambiguities  must  be  resolved. 

While  many  dither  wave  fomis  were  explored,  the  sine  wave  dither  form  yielded  the  best  performance.  The 
signal  is  continuous,  arguably  subldninal,  and  demonstrates  good  performance.  It  also  is  extremely  useful  in 
residual  monitoring  to  re'solve  ambiguities.  The  continuous  nature  of  the  wave  form  provides  constant  failure 
detection  coverage  and  can  easily  be  modulated  in  amplitude  or  frr.  uency  to  provide  the  best  detection  signal 
for  a  given  failure  scenario.  A  continuously  alternating  frequency  may  provide  the  "optimal"  signal  for  good 
algorithm  perfomiancc  at  all  flight  conditions.  Amplitude  modulation  accounts  for  varying  dynamic  pressures, 
atmospheric  disturbances,  or  aircraft  staius  (a  stabilator  failure  may  exist,  which  requires  a  higher  amplitude 
signal  on  the  remaining  stabilator  to  provide  sufficient  excitation  for  good  second  failure  performance).  In  this 
thesis  effort,  we  did  not  consider  a  wideband  dither  signal,  but  sinusoidal  dither  forms  did  provide  better  overall 
performance  than  pulse  train  forms.  Good  results  are  also  obtained  during  maneuvering  flight  Maneuvering 
flight  provides  sufficient  excitation  to  ensure  good  algorithm  performance.  Large  amplitude  dynamic  maneuvers 
may  require  a  settling  time  prior  to  failure  detection  and  isolation.  In  general,  as  soon  as  a  quasi-steady  state 
is  achieved,  failure  detection  is  swift 
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This  chapter  answered  the  research  questions  posed  In  Chapter  1.  While  the  answers  are  impoilant,  they 
arc  not  nearly  as  important  as  the  trends  demonstrated  by  the  data  of  Chapter  4.  Since  the  writing  of  Chapter 
1  at  the  beginning  of  the  research  effort,  additional  questions  and  concerns  have  arisen.  The  conclusions  and 
trends  section  of  this  chapter  has  attempted  to  summarize  the  data  and  provide  additional  insight  to  the  reader. 
Some  conjecture  is  included  throughout  this  chapter  (oiten  with  supporting  evidence  found  in  Chapter  4).  While 
Chapter  4  provides  clues,  there  is  no  substitute  for  experience  with  the  algorithm  in  this  application.  The  results 
arc  promising  and  offer  a  possible  window  into  the  future  of  fault  detection  and  isolation  within  flight  control 
systems. 

Some  additional  questions  remain  to  be  addressed  in  future  studies. 

Are  there  arty  other  additional  voting  techniques  which  may  be  useful  In  this  application? 

Will  restarting  the  filters  at  regular  intervals  Improve  performance? 

For  Increased  sensor  noise,  do  the  thresholds  for  detection  and  isolation  occur  prior  to  loss  of  control? 

Does  the  algorithm  provide  good  performance  for  sensor  biases? 

Does  the  incorporation  of  a  nonlinear  aircrqft  model  Introduce  coupling  issues? 

Will  a  sinusoidal  dither  signal,  modulated  in  frequency  and  amplitude,  produce  good  algorithm 

performance  throughout  the  flight  control  regime,  in  atmospheric  disturbances,  and  rafter  a  first  failure 

has  occurred? 
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